From 0e6ee83edb36a7482e8188c77207a6a53aa85d86 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Mar 2024 18:17:44 -0700 Subject: [PATCH 1/6] chore: bump webpack-dev-middleware from 5.3.1 to 5.3.4 in /website (#3332) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- website/yarn.lock | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/website/yarn.lock b/website/yarn.lock index 456dfe1fe89..74a52199d8a 100644 --- a/website/yarn.lock +++ b/website/yarn.lock @@ -4297,6 +4297,11 @@ fs-monkey@1.0.3: resolved "https://registry.yarnpkg.com/fs-monkey/-/fs-monkey-1.0.3.tgz#ae3ac92d53bb328efe0e9a1d9541f6ad8d48e2d3" integrity sha512-cybjIfiiE+pTWicSCLFHSrXZ6EilF30oh91FDP9S2B051prEa7QWfrVTQm10/dDpswBDXZugPa1Ogu8Yh+HV0Q== +fs-monkey@^1.0.4: + version "1.0.5" + resolved "https://registry.yarnpkg.com/fs-monkey/-/fs-monkey-1.0.5.tgz#fe450175f0db0d7ea758102e1d84096acb925788" + integrity sha512-8uMbBjrhzW76TYgEV27Y5E//W2f/lTFmx78P2w19FZSxarhI/798APGQyuGCwmkNxgwGRhrLfvWyLBvNtuOmew== + fs.realpath@^1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/fs.realpath/-/fs.realpath-1.0.0.tgz#1504ad2523158caa40db4a2787cb01411994ea4f" @@ -5330,13 +5335,20 @@ media-typer@0.3.0: resolved "https://registry.yarnpkg.com/media-typer/-/media-typer-0.3.0.tgz#8710d7af0aa626f8fffa1ce00168545263255748" integrity sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g= -memfs@^3.1.2, memfs@^3.4.1: +memfs@^3.1.2: version "3.4.1" resolved "https://registry.yarnpkg.com/memfs/-/memfs-3.4.1.tgz#b78092f466a0dce054d63d39275b24c71d3f1305" integrity sha512-1c9VPVvW5P7I85c35zAdEr1TD5+F11IToIHIlrVIcflfnzPkJa0ZoYEoEdYDP8KgPFoSZ/opDrUsAoZWym3mtw== dependencies: fs-monkey "1.0.3" +memfs@^3.4.3: + version "3.6.0" + resolved "https://registry.yarnpkg.com/memfs/-/memfs-3.6.0.tgz#d7a2110f86f79dd950a8b6df6d57bc984aa185f6" + integrity sha512-EGowvkkgbMcIChjMTMkESFDbZeSh8xZ7kNSF0hAiAN4Jh6jgHCRS0Ga/+C8y6Au+oqpezRHCfPsmJ2+DwAgiwQ== + dependencies: + fs-monkey "^1.0.4" + merge-descriptors@1.0.1: version "1.0.1" resolved "https://registry.yarnpkg.com/merge-descriptors/-/merge-descriptors-1.0.1.tgz#b00aaa556dd8b44568150ec9d1b953f3f90cbb61" @@ -7683,12 +7695,12 @@ webpack-bundle-analyzer@^4.5.0: ws "^7.3.1" webpack-dev-middleware@^5.3.1: - version "5.3.1" - resolved "https://registry.yarnpkg.com/webpack-dev-middleware/-/webpack-dev-middleware-5.3.1.tgz#aa079a8dedd7e58bfeab358a9af7dab304cee57f" - integrity sha512-81EujCKkyles2wphtdrnPg/QqegC/AtqNH//mQkBYSMqwFVCQrxM6ktB2O/SPlZy7LqeEfTbV3cZARGQz6umhg== + version "5.3.4" + resolved "https://registry.yarnpkg.com/webpack-dev-middleware/-/webpack-dev-middleware-5.3.4.tgz#eb7b39281cbce10e104eb2b8bf2b63fce49a3517" + integrity sha512-BVdTqhhs+0IfoeAf7EoH5WE+exCmqGerHfDM0IL096Px60Tq2Mn9MAbnaGUe6HiMa41KMCYF19gyzZmBcq/o4Q== dependencies: colorette "^2.0.10" - memfs "^3.4.1" + memfs "^3.4.3" mime-types "^2.1.31" range-parser "^1.2.1" schema-utils "^4.0.0" From 2454be6ad03a24e2aeaf090f332e5c3fd3eed288 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Mar 2024 20:02:17 -0700 Subject: [PATCH 2/6] chore: bump express from 4.18.1 to 4.19.2 in /website (#3334) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- website/yarn.lock | 55 ++++++++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 25 deletions(-) diff --git a/website/yarn.lock b/website/yarn.lock index 74a52199d8a..6c92a56eb8c 100644 --- a/website/yarn.lock +++ b/website/yarn.lock @@ -2914,21 +2914,21 @@ binary-extensions@^2.0.0: resolved "https://registry.yarnpkg.com/binary-extensions/-/binary-extensions-2.2.0.tgz#75f502eeaf9ffde42fc98829645be4ea76bd9e2d" integrity sha512-jDctJ/IVQbZoJykoeHbhXpOlNBqGNcwXJKJog42E5HDPUwQTSdjCHdihjj0DlnheQ7blbT6dHOafNAiS8ooQKA== -body-parser@1.20.0: - version "1.20.0" - resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.0.tgz#3de69bd89011c11573d7bfee6a64f11b6bd27cc5" - integrity sha512-DfJ+q6EPcGKZD1QWUjSpqp+Q7bDQTsQIF4zfUAtZ6qk+H/3/QRhg9CEp39ss+/T2vw0+HaidC0ecJj/DRLIaKg== +body-parser@1.20.2: + version "1.20.2" + resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.2.tgz#6feb0e21c4724d06de7ff38da36dad4f57a747fd" + integrity sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA== dependencies: bytes "3.1.2" - content-type "~1.0.4" + content-type "~1.0.5" debug "2.6.9" depd "2.0.0" destroy "1.2.0" http-errors "2.0.0" iconv-lite "0.4.24" on-finished "2.4.1" - qs "6.10.3" - raw-body "2.5.1" + qs "6.11.0" + raw-body "2.5.2" type-is "~1.6.18" unpipe "1.0.0" @@ -3373,6 +3373,11 @@ content-type@~1.0.4: resolved "https://registry.yarnpkg.com/content-type/-/content-type-1.0.4.tgz#e138cc75e040c727b1966fe5e5f8c9aee256fe3b" integrity sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA== +content-type@~1.0.5: + version "1.0.5" + resolved "https://registry.yarnpkg.com/content-type/-/content-type-1.0.5.tgz#8b773162656d1d1086784c8f23a54ce6d73d7918" + integrity sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA== + convert-source-map@^1.7.0: version "1.8.0" resolved "https://registry.yarnpkg.com/convert-source-map/-/convert-source-map-1.8.0.tgz#f3373c32d21b4d780dd8004514684fb791ca4369" @@ -3385,10 +3390,10 @@ cookie-signature@1.0.6: resolved "https://registry.yarnpkg.com/cookie-signature/-/cookie-signature-1.0.6.tgz#e303a882b342cc3ee8ca513a79999734dab3ae2c" integrity sha1-4wOogrNCzD7oylE6eZmXNNqzriw= -cookie@0.5.0: - version "0.5.0" - resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.5.0.tgz#d1f5d71adec6558c58f389987c366aa47e994f8b" - integrity sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw== +cookie@0.6.0: + version "0.6.0" + resolved "https://registry.yarnpkg.com/cookie/-/cookie-0.6.0.tgz#2798b04b071b0ecbff0dbb62a505a8efa4e19051" + integrity sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw== copy-text-to-clipboard@^3.0.1: version "3.0.1" @@ -4039,16 +4044,16 @@ execa@^5.0.0: strip-final-newline "^2.0.0" express@^4.17.3: - version "4.18.1" - resolved "https://registry.yarnpkg.com/express/-/express-4.18.1.tgz#7797de8b9c72c857b9cd0e14a5eea80666267caf" - integrity sha512-zZBcOX9TfehHQhtupq57OF8lFZ3UZi08Y97dwFCkD8p9d/d2Y3M+ykKcwaMDEL+4qyUolgBDX6AblpR3fL212Q== + version "4.19.2" + resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465" + integrity sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q== dependencies: accepts "~1.3.8" array-flatten "1.1.1" - body-parser "1.20.0" + body-parser "1.20.2" content-disposition "0.5.4" content-type "~1.0.4" - cookie "0.5.0" + cookie "0.6.0" cookie-signature "1.0.6" debug "2.6.9" depd "2.0.0" @@ -4064,7 +4069,7 @@ express@^4.17.3: parseurl "~1.3.3" path-to-regexp "0.1.7" proxy-addr "~2.0.7" - qs "6.10.3" + qs "6.11.0" range-parser "~1.2.1" safe-buffer "5.2.1" send "0.18.0" @@ -6257,10 +6262,10 @@ pure-color@^1.2.0: resolved "https://registry.yarnpkg.com/pure-color/-/pure-color-1.3.0.tgz#1fe064fb0ac851f0de61320a8bf796836422f33e" integrity sha1-H+Bk+wrIUfDeYTIKi/eWg2Qi8z4= -qs@6.10.3: - version "6.10.3" - resolved "https://registry.yarnpkg.com/qs/-/qs-6.10.3.tgz#d6cde1b2ffca87b5aa57889816c5f81535e22e8e" - integrity sha512-wr7M2E0OFRfIfJZjKGieI8lBKb7fRCH4Fv5KNPEs7gJ8jadvotdsS08PzOKR7opXhZ/Xkjtt3WF9g38drmyRqQ== +qs@6.11.0: + version "6.11.0" + resolved "https://registry.yarnpkg.com/qs/-/qs-6.11.0.tgz#fd0d963446f7a65e1367e01abd85429453f0c37a" + integrity sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q== dependencies: side-channel "^1.0.4" @@ -6293,10 +6298,10 @@ range-parser@^1.2.1, range-parser@~1.2.1: resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.1.tgz#3cf37023d199e1c24d1a55b84800c2f3e6468031" integrity sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg== -raw-body@2.5.1: - version "2.5.1" - resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.5.1.tgz#fe1b1628b181b700215e5fd42389f98b71392857" - integrity sha512-qqJBtEyVgS0ZmPGdCFPWJ3FreoqvG4MVQln/kCgF7Olq95IbOp0/BWyMwbdtn4VTvkM8Y7khCQ2Xgk/tcrCXig== +raw-body@2.5.2: + version "2.5.2" + resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.5.2.tgz#99febd83b90e08975087e8f1f9419a149366b68a" + integrity sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA== dependencies: bytes "3.1.2" http-errors "2.0.0" From c3c3c20e2cc99c6f1c47517097079b5ae1bda193 Mon Sep 17 00:00:00 2001 From: Rita Zhang Date: Tue, 26 Mar 2024 14:03:13 -0700 Subject: [PATCH 3/6] feat: enable vap in helm (#3329) Signed-off-by: Rita Zhang --- .github/workflows/workflow.yaml | 5 +++-- Makefile | 6 +++++- cmd/build/helmify/kustomize-for-helm.yaml | 2 ++ cmd/build/helmify/static/README.md | 2 ++ cmd/build/helmify/static/values.yaml | 2 ++ main.go | 2 +- manifest_staging/charts/gatekeeper/README.md | 2 ++ .../templates/gatekeeper-controller-manager-deployment.yaml | 2 ++ manifest_staging/charts/gatekeeper/values.yaml | 2 ++ 9 files changed, 21 insertions(+), 4 deletions(-) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index 1bfd0904039..9ea80aadec0 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -245,7 +245,8 @@ jobs: LOG_LEVEL=DEBUG make test-e2e \ - GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} + GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} \ + ENABLE_VAP_TESTS=1 - name: Save logs if: ${{ always() }} @@ -289,7 +290,7 @@ jobs: make e2e-bootstrap - name: Run e2e - run: | # TODO(ritazh): set ENABLE_VAP_TESTS=1 before alpha release + run: | make docker-buildx \ IMG=gatekeeper-e2e:latest diff --git a/Makefile b/Makefile index a62729ef39d..faccede490f 100644 --- a/Makefile +++ b/Makefile @@ -249,6 +249,8 @@ else --set disabledBuiltins={http.send} \ --set logMutations=true \ --set logLevel=${LOG_LEVEL} \ + --set enableK8sNativeValidation=true \ + --set vapEnforcement=GATEKEEPER_DEFAULT \ --set mutationAnnotations=true endif @@ -288,6 +290,8 @@ e2e-helm-upgrade: --set disabledBuiltins={http.send} \ --set logMutations=true \ --set logLevel=${LOG_LEVEL} \ + --set enableK8sNativeValidation=true \ + --set vapEnforcement=GATEKEEPER_DEFAULT \ --set mutationAnnotations=true;\ e2e-subscriber-build-load-image: @@ -344,7 +348,7 @@ manifests: __controller-gen output:crd:artifacts:config=config/crd/bases ./build/update-match-schema.sh rm -rf manifest_staging - mkdir -p manifest_staging/deploy/experimental + mkdir -p manifest_staging/deploy mkdir -p manifest_staging/charts/gatekeeper docker run --rm -v $(shell pwd):/gatekeeper \ registry.k8s.io/kustomize/kustomize:v${KUSTOMIZE_VERSION} build \ diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index bd8847ac979..6a336e57b37 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -93,6 +93,8 @@ spec: - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} + - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} + - --vap-enforcement={{ .Values.vapEnforcement }} - HELMBUST_ENABLE_TLS_APISERVER_AUTHENTICATION - HELMSUBST_METRICS_BACKEND_ARG - HELMSUBST_TLS_HEALTHCHECK_ENABLED_ARG diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 7d77041443b..dacd51240ba 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -163,6 +163,8 @@ information._ | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | | emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` | +| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | logDenies | Log detailed info on each deny | `false` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index b3f9b1fa9a9..b5c09987127 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -42,6 +42,8 @@ admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true externaldataProviderResponseCacheTTL: 3m +enableK8sNativeValidation: false +vapEnforcement: GATEKEEPER_DEFAULT image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds diff --git a/main.go b/main.go index e609948bad7..81e47317475 100644 --- a/main.go +++ b/main.go @@ -115,7 +115,7 @@ var ( certServiceName = flag.String("cert-service-name", "gatekeeper-webhook-service", "The service name used to generate the TLS cert's hostname. Defaults to gatekeeper-webhook-service") enableTLSHealthcheck = flag.Bool("enable-tls-healthcheck", false, "enable probing webhook API with certificate stored in certDir") disabledBuiltins = util.NewFlagSet() - enableK8sCel = flag.Bool("experimental-enable-k8s-native-validation", false, "PROTOTYPE (not stable): enable the validating admission policy driver") + enableK8sCel = flag.Bool("experimental-enable-k8s-native-validation", false, "Alpha: enable the validating admission policy driver") externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.") ) diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 7d77041443b..dacd51240ba 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -163,6 +163,8 @@ information._ | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | | emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` | +| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | logDenies | Log detailed info on each deny | `false` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 2455339d122..df9807a6d96 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -72,6 +72,8 @@ spec: - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} + - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} + - --vap-enforcement={{ .Values.vapEnforcement }} {{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }} {{- range .Values.metricsBackends}} diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index b3f9b1fa9a9..b5c09987127 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -42,6 +42,8 @@ admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true externaldataProviderResponseCacheTTL: 3m +enableK8sNativeValidation: false +vapEnforcement: GATEKEEPER_DEFAULT image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds From 58f25a2bd4e3cabbfe358b7bca8beef2bd5949bd Mon Sep 17 00:00:00 2001 From: Rita Zhang Date: Tue, 26 Mar 2024 15:48:05 -0700 Subject: [PATCH 4/6] docs: update opa version in readme (#3330) Signed-off-by: Rita Zhang --- README.md | 2 +- website/docs/opa-versions.md | 1 + website/versioned_docs/version-v3.15.x/opa-versions.md | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 24d48f2d355..933b26be8cf 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Gatekeeper -![Static Badge](https://img.shields.io/badge/OPA%20Version-v0.54.0-blue) +![Static Badge](https://img.shields.io/badge/OPA%20Version-v0.60.0-blue) ## How is Gatekeeper different from OPA? diff --git a/website/docs/opa-versions.md b/website/docs/opa-versions.md index 13d8e90f7c6..2add1188150 100644 --- a/website/docs/opa-versions.md +++ b/website/docs/opa-versions.md @@ -7,6 +7,7 @@ Gatekeeper depends on [Open Policy Agent](https://www.openpolicyagent.org/). To | Gatekeeper Version | OPA Version | | ------------------ | ----------- | +| `v3.15.1` | `v0.60.0` | | `v3.15.0` | `v0.60.0` | | `v3.14.0` | `v0.57.1` | | `v3.13.0` | `v0.54.0` | diff --git a/website/versioned_docs/version-v3.15.x/opa-versions.md b/website/versioned_docs/version-v3.15.x/opa-versions.md index 13d8e90f7c6..2add1188150 100644 --- a/website/versioned_docs/version-v3.15.x/opa-versions.md +++ b/website/versioned_docs/version-v3.15.x/opa-versions.md @@ -7,6 +7,7 @@ Gatekeeper depends on [Open Policy Agent](https://www.openpolicyagent.org/). To | Gatekeeper Version | OPA Version | | ------------------ | ----------- | +| `v3.15.1` | `v0.60.0` | | `v3.15.0` | `v0.60.0` | | `v3.14.0` | `v0.57.1` | | `v3.13.0` | `v0.54.0` | From 9a5539aa4fe22f3b9e8d15ce96feb70db229b6b3 Mon Sep 17 00:00:00 2001 From: Ben Couture Date: Wed, 27 Mar 2024 12:36:50 -0400 Subject: [PATCH 5/6] fix: over-restrictive validation of wildcard match patterns (#3310) Signed-off-by: Ben Couture Signed-off-by: Ben Couture Co-authored-by: Rita Zhang --- .../bases/config.gatekeeper.sh_configs.yaml | 7 +- .../bases/match.gatekeeper.sh_matchcrd.yaml | 20 ++-- .../bases/mutations.gatekeeper.sh_assign.yaml | 48 ++++---- .../mutations.gatekeeper.sh_assignimage.yaml | 16 +-- ...utations.gatekeeper.sh_assignmetadata.yaml | 48 ++++---- .../mutations.gatekeeper.sh_modifyset.yaml | 48 ++++---- .../crds/assign-customresourcedefinition.yaml | 30 ++--- .../assignimage-customresourcedefinition.yaml | 10 +- ...signmetadata-customresourcedefinition.yaml | 30 ++--- .../crds/config-customresourcedefinition.yaml | 4 +- .../modifyset-customresourcedefinition.yaml | 30 ++--- manifest_staging/deploy/gatekeeper.yaml | 104 +++++++++--------- pkg/target/matchcrd_constant.go | 20 ++-- pkg/wildcard/wildcard.go | 8 +- pkg/wildcard/wildcard_test.go | 28 ++--- 15 files changed, 238 insertions(+), 213 deletions(-) diff --git a/config/crd/bases/config.gatekeeper.sh_configs.yaml b/config/crd/bases/config.gatekeeper.sh_configs.yaml index f9207c4dbab..aa870f987de 100644 --- a/config/crd/bases/config.gatekeeper.sh_configs.yaml +++ b/config/crd/bases/config.gatekeeper.sh_configs.yaml @@ -42,10 +42,11 @@ spec: excludedNamespaces: items: description: 'A string that supports globbing at its front - or end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + and end. Ex: "kube-*" will match "kube-system" or "kube-public", + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array processes: diff --git a/config/crd/bases/match.gatekeeper.sh_matchcrd.yaml b/config/crd/bases/match.gatekeeper.sh_matchcrd.yaml index 1fd9983a63b..e504c6069fe 100644 --- a/config/crd/bases/match.gatekeeper.sh_matchcrd.yaml +++ b/config/crd/bases/match.gatekeeper.sh_matchcrd.yaml @@ -38,11 +38,12 @@ spec: `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" - will match "kube-system" or "gatekeeper-system". The asterisk - is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required + for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -120,7 +121,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's @@ -174,11 +175,12 @@ spec: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" - will match "kube-system" or "gatekeeper-system". The asterisk - is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required + for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: diff --git a/config/crd/bases/mutations.gatekeeper.sh_assign.yaml b/config/crd/bases/mutations.gatekeeper.sh_assign.yaml index 42d3c1bc386..60b2e470db8 100644 --- a/config/crd/bases/mutations.gatekeeper.sh_assign.yaml +++ b/config/crd/bases/mutations.gatekeeper.sh_assign.yaml @@ -75,11 +75,12 @@ spec: matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -158,7 +159,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -213,11 +214,12 @@ spec: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -422,11 +424,12 @@ spec: matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -505,7 +508,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -560,11 +563,12 @@ spec: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -769,11 +773,12 @@ spec: matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -852,7 +857,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -907,11 +912,12 @@ spec: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: diff --git a/config/crd/bases/mutations.gatekeeper.sh_assignimage.yaml b/config/crd/bases/mutations.gatekeeper.sh_assignimage.yaml index b472e067181..85d4d58be8e 100644 --- a/config/crd/bases/mutations.gatekeeper.sh_assignimage.yaml +++ b/config/crd/bases/mutations.gatekeeper.sh_assignimage.yaml @@ -75,11 +75,12 @@ spec: matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -158,7 +159,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -213,11 +214,12 @@ spec: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: diff --git a/config/crd/bases/mutations.gatekeeper.sh_assignmetadata.yaml b/config/crd/bases/mutations.gatekeeper.sh_assignmetadata.yaml index 902aba1db61..5d2883032c1 100644 --- a/config/crd/bases/mutations.gatekeeper.sh_assignmetadata.yaml +++ b/config/crd/bases/mutations.gatekeeper.sh_assignmetadata.yaml @@ -48,11 +48,12 @@ spec: matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -131,7 +132,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -186,11 +187,12 @@ spec: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -347,11 +349,12 @@ spec: matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -430,7 +433,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -485,11 +488,12 @@ spec: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -646,11 +650,12 @@ spec: matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -729,7 +734,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -784,11 +789,12 @@ spec: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: diff --git a/config/crd/bases/mutations.gatekeeper.sh_modifyset.yaml b/config/crd/bases/mutations.gatekeeper.sh_modifyset.yaml index 7e95583fb54..1c0c28b85e8 100644 --- a/config/crd/bases/mutations.gatekeeper.sh_modifyset.yaml +++ b/config/crd/bases/mutations.gatekeeper.sh_modifyset.yaml @@ -76,11 +76,12 @@ spec: matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -159,7 +160,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -214,11 +215,12 @@ spec: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -389,11 +391,12 @@ spec: matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -472,7 +475,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -527,11 +530,12 @@ spec: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -702,11 +706,12 @@ spec: matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -785,7 +790,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -840,11 +845,12 @@ spec: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system". The + "*-system" will match "kube-system" or "gatekeeper-system", + "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: diff --git a/manifest_staging/charts/gatekeeper/crds/assign-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/assign-customresourcedefinition.yaml index 0221a194812..7a709aa9e93 100644 --- a/manifest_staging/charts/gatekeeper/crds/assign-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/assign-customresourcedefinition.yaml @@ -64,8 +64,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -115,7 +115,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -150,8 +150,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -309,8 +309,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -360,7 +360,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -395,8 +395,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -554,8 +554,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -605,7 +605,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -640,8 +640,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: diff --git a/manifest_staging/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml index 197f2f17933..a6ae2b75bc6 100644 --- a/manifest_staging/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml @@ -64,8 +64,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -115,7 +115,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -150,8 +150,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: diff --git a/manifest_staging/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml index 65c17ed3ae1..f3c4dca92fb 100644 --- a/manifest_staging/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml @@ -44,8 +44,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -95,7 +95,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -130,8 +130,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -255,8 +255,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -306,7 +306,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -341,8 +341,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -466,8 +466,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -517,7 +517,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -552,8 +552,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: diff --git a/manifest_staging/charts/gatekeeper/crds/config-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/config-customresourcedefinition.yaml index 269ca95f9a2..36bb7d541b7 100644 --- a/manifest_staging/charts/gatekeeper/crds/config-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/config-customresourcedefinition.yaml @@ -38,8 +38,8 @@ spec: properties: excludedNamespaces: items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array processes: diff --git a/manifest_staging/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml index 46574fd369f..4ee2a39d106 100644 --- a/manifest_staging/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml @@ -64,8 +64,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -115,7 +115,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -150,8 +150,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -282,8 +282,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -333,7 +333,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -368,8 +368,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -500,8 +500,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -551,7 +551,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -586,8 +586,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index 618cd8e2fc6..53d0beb7d10 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -96,8 +96,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -147,7 +147,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -182,8 +182,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -341,8 +341,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -392,7 +392,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -427,8 +427,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -586,8 +586,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -637,7 +637,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -672,8 +672,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -854,8 +854,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -905,7 +905,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -940,8 +940,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -1072,8 +1072,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -1123,7 +1123,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -1158,8 +1158,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -1283,8 +1283,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -1334,7 +1334,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -1369,8 +1369,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -1494,8 +1494,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -1545,7 +1545,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -1580,8 +1580,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -1722,8 +1722,8 @@ spec: properties: excludedNamespaces: items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array processes: @@ -2615,8 +2615,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -2666,7 +2666,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -2701,8 +2701,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -2833,8 +2833,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -2884,7 +2884,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -2919,8 +2919,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: @@ -3051,8 +3051,8 @@ spec: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -3102,7 +3102,7 @@ spec: type: object name: description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. @@ -3137,8 +3137,8 @@ spec: namespaces: description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: diff --git a/pkg/target/matchcrd_constant.go b/pkg/target/matchcrd_constant.go index fd454258514..a390668bd47 100644 --- a/pkg/target/matchcrd_constant.go +++ b/pkg/target/matchcrd_constant.go @@ -44,11 +44,12 @@ spec: `+"`"+`kube-system`+"`"+` and `+"`"+`kube-public`+"`"+`, and `+"`"+`excludedNamespaces: [*-system]`+"`"+` matches both `+"`"+`kube-system`+"`"+` and `+"`"+`gatekeeper-system`+"`"+`.' items: - description: 'A string that supports globbing at its front or end. + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" - will match "kube-system" or "gatekeeper-system". The asterisk - is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required + for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: @@ -126,7 +127,7 @@ spec: a prefix or suffix glob. For example, `+"`"+`name: pod-*`+"`"+` would match both `+"`"+`pod-a`+"`"+` and `+"`"+`pod-b`+"`"+`, and `+"`"+`name: *-pod`+"`"+` would match both `+"`"+`a-pod`+"`"+` and `+"`"+`b-pod`+"`"+`.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an object's @@ -180,11 +181,12 @@ spec: [kube-*]`+"`"+` matches both `+"`"+`kube-system`+"`"+` and `+"`"+`kube-public`+"`"+`, and `+"`"+`namespaces: [*-system]`+"`"+` matches both `+"`"+`kube-system`+"`"+` and `+"`"+`gatekeeper-system`+"`"+`.' items: - description: 'A string that supports globbing at its front or end. + description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" - will match "kube-system" or "gatekeeper-system". The asterisk - is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required + for wildcard matching.' + pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: diff --git a/pkg/wildcard/wildcard.go b/pkg/wildcard/wildcard.go index 36df10bfa7c..687a2a8f2bb 100644 --- a/pkg/wildcard/wildcard.go +++ b/pkg/wildcard/wildcard.go @@ -2,11 +2,11 @@ package wildcard import "strings" -// +kubebuilder:validation:Pattern=`^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$` +// +kubebuilder:validation:Pattern=`^\*?[-:a-z0-9]*\*?$` -// A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or -// "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is -// required for wildcard matching. +// A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or +// "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will +// match "system-kube" or "kube-system". The asterisk is required for wildcard matching. // //nolint:revive type Wildcard string diff --git a/pkg/wildcard/wildcard_test.go b/pkg/wildcard/wildcard_test.go index d3853eebae8..cf273ed1a80 100644 --- a/pkg/wildcard/wildcard_test.go +++ b/pkg/wildcard/wildcard_test.go @@ -54,11 +54,17 @@ func TestMatches(t *testing.T) { matches: false, }, { - name: "wildcard suffix and prefix match", + name: "wildcard suffix and prefix, match", w: Wildcard("*-kube-*"), candidate: "test-kube-test", matches: true, }, + { + name: "wildcard suffix and prefix, no match", + w: Wildcard("*-kube-*"), + candidate: "my-kub-controller", + matches: false, + }, { name: "no wildcard, only hypens at suffix and prefix", w: Wildcard("-kube-"), @@ -66,22 +72,16 @@ func TestMatches(t *testing.T) { matches: false, }, { - name: "wild card at suffix and prefix, multiple hyphens", - w: Wildcard("*-kube-*"), - candidate: "test-dev-kube-dev-test", + name: "wildcard with consecutive hyphens", + w: Wildcard("*--*"), + candidate: "my--namespace", matches: true, }, { - name: "wild card at suffid and end, multiple hypens, no match", - w: Wildcard("*-kube-*"), - candidate: "my-kub-controller", - matches: false, - }, - { - name: "wild card at suffix and prefix, multiple hyphens, no match", - w: Wildcard("*-kube-*"), - candidate: "my-controller-manager", - matches: false, + name: "double wildcard", + w: Wildcard("**"), + candidate: "my:namespace", + matches: true, }, } From 1dca4dfa7fbda21cad3e151a8c495c8b3107e29c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Serta=C3=A7=20=C3=96zercan?= <852750+sozercan@users.noreply.github.com> Date: Wed, 27 Mar 2024 16:47:04 -0700 Subject: [PATCH 6/6] chore: bump to go 1.22 bookworm (#3323) Signed-off-by: Sertac Ozercan --- .github/workflows/license-lint.yaml | 2 +- .github/workflows/release-pr.yaml | 2 +- .github/workflows/release.yaml | 2 +- .github/workflows/scan-vulns.yaml | 2 +- .github/workflows/workflow.yaml | 12 +- .go-version | 2 +- .golangci.yaml | 2 +- Dockerfile | 2 +- Tiltfile | 2 +- apis/config/v1alpha1/zz_generated.deepcopy.go | 1 - .../unversioned/zz_generated.deepcopy.go | 1 - .../v1alpha1/zz_generated.deepcopy.go | 1 - .../v1beta1/zz_generated.deepcopy.go | 1 - .../unversioned/zz_generated.deepcopy.go | 1 - apis/mutations/v1/zz_generated.deepcopy.go | 1 - .../v1alpha1/zz_generated.deepcopy.go | 1 - .../v1beta1/zz_generated.deepcopy.go | 1 - apis/status/v1beta1/zz_generated.deepcopy.go | 1 - .../syncset/v1alpha1/zz_generated.deepcopy.go | 1 - build/tooling/Dockerfile | 6 +- config/crd/bases/_.yaml | 3 +- .../bases/config.gatekeeper.sh_configs.yaml | 29 +- ...nsion.gatekeeper.sh_expansiontemplate.yaml | 113 +- .../bases/match.gatekeeper.sh_matchcrd.yaml | 185 +- .../bases/mutations.gatekeeper.sh_assign.yaml | 759 +++---- .../mutations.gatekeeper.sh_assignimage.yaml | 248 +-- ...utations.gatekeeper.sh_assignmetadata.yaml | 660 +++--- .../mutations.gatekeeper.sh_modifyset.yaml | 732 +++---- ...s.gatekeeper.sh_constraintpodstatuses.yaml | 25 +- ...eper.sh_constrainttemplatepodstatuses.yaml | 28 +- ...eeper.sh_expansiontemplatepodstatuses.yaml | 28 +- ...atus.gatekeeper.sh_mutatorpodstatuses.yaml | 33 +- .../bases/syncset.gatekeeper.sh_syncsets.yaml | 20 +- config/rbac/role.yaml | 2 - config/webhook/manifests.yaml | 2 - gator.Dockerfile | 2 +- .../crds/assign-customresourcedefinition.yaml | 494 ++++- .../assignimage-customresourcedefinition.yaml | 162 +- ...signmetadata-customresourcedefinition.yaml | 425 +++- .../crds/config-customresourcedefinition.yaml | 20 +- ...intpodstatus-customresourcedefinition.yaml | 20 +- ...atepodstatus-customresourcedefinition.yaml | 20 +- ...siontemplate-customresourcedefinition.yaml | 82 +- ...atepodstatus-customresourcedefinition.yaml | 20 +- .../modifyset-customresourcedefinition.yaml | 482 ++++- ...torpodstatus-customresourcedefinition.yaml | 24 +- .../syncset-customresourcedefinition.yaml | 15 +- .../gatekeeper-manager-role-clusterrole.yaml | 1 - .../gatekeeper-manager-role-role.yaml | 1 - manifest_staging/deploy/gatekeeper.yaml | 1766 +++++++++++++---- pkg/mutation/match/zz_generated.deepcopy.go | 1 - pkg/target/matchcrd_constant.go | 185 +- test/externaldata/dummy-provider/Dockerfile | 2 +- test/image/Dockerfile | 2 +- test/pubsub/fake-subscriber/Dockerfile | 2 +- 55 files changed, 4501 insertions(+), 2136 deletions(-) diff --git a/.github/workflows/license-lint.yaml b/.github/workflows/license-lint.yaml index 972babe2826..f5cb8b1ab08 100644 --- a/.github/workflows/license-lint.yaml +++ b/.github/workflows/license-lint.yaml @@ -32,7 +32,7 @@ jobs: - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.21" + go-version: "1.22" check-latest: true - name: Check out code into the Go module directory diff --git a/.github/workflows/release-pr.yaml b/.github/workflows/release-pr.yaml index 71ec12b8989..48962819960 100644 --- a/.github/workflows/release-pr.yaml +++ b/.github/workflows/release-pr.yaml @@ -25,7 +25,7 @@ jobs: - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.21" + go-version: "1.22" check-latest: true - name: Set release version and target branch for vNext diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2db870e8ca0..2484d12fc87 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -37,7 +37,7 @@ jobs: - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.21" + go-version: "1.22" check-latest: true - name: Get tag diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index 7570ea6f916..277f3de8314 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -33,7 +33,7 @@ jobs: steps: - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.21" + go-version: "1.22" check-latest: true - uses: golang/govulncheck-action@3a32958c2706f7048305d5a2e53633d7e37e97d0 # v1.0.2 diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index 9ea80aadec0..926a7ef82ee 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -42,7 +42,7 @@ jobs: - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.21" + go-version: "1.22" check-latest: true # source: https://github.com/golangci/golangci-lint-action @@ -68,7 +68,7 @@ jobs: - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.21" + go-version: "1.22" check-latest: true - name: Unit test @@ -97,7 +97,7 @@ jobs: - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.21" + go-version: "1.22" check-latest: true - name: Check go.mod and manifests run: | @@ -123,7 +123,7 @@ jobs: - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.21" + go-version: "1.22" check-latest: true - name: Download e2e dependencies @@ -155,7 +155,7 @@ jobs: - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.21" + go-version: "1.22" check-latest: true - name: Bootstrap e2e @@ -280,7 +280,7 @@ jobs: - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: "1.21" + go-version: "1.22" check-latest: true - name: Bootstrap e2e diff --git a/.go-version b/.go-version index 3500250a4b0..57807d6d0d0 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.21.0 +1.22.0 diff --git a/.golangci.yaml b/.golangci.yaml index 45f97871159..d4ddf3b08d7 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -22,7 +22,7 @@ linters-settings: locale: US staticcheck: # Select the Go version to target. The default is '1.13'. - go: "1.21" + go: "1.22" linters: disable-all: true diff --git a/Dockerfile b/Dockerfile index d4db5c85f79..76a2ca45218 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ ARG BUILDPLATFORM="linux/amd64" -ARG BUILDERIMAGE="golang:1.21-bullseye" +ARG BUILDERIMAGE="golang:1.22-bookworm" # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details ARG BASEIMAGE="gcr.io/distroless/static:nonroot" diff --git a/Tiltfile b/Tiltfile index a141bec7557..00ecc8ca54c 100644 --- a/Tiltfile +++ b/Tiltfile @@ -17,7 +17,7 @@ if settings.get("trigger_mode", "auto").lower() == "manual": trigger_mode(TRIGGER_MODE_MANUAL) TILT_DOCKERFILE = """ -FROM golang:1.21-bullseye as tilt-helper +FROM golang:1.22-bookworm as tilt-helper # Support live reloading with Tilt RUN wget --output-document /restart.sh --quiet https://raw.githubusercontent.com/tilt-dev/rerun-process-wrapper/60eaa572cdf825c646008e1ea28b635f83cefb38/restart.sh && \ wget --output-document /start.sh --quiet https://raw.githubusercontent.com/tilt-dev/rerun-process-wrapper/60eaa572cdf825c646008e1ea28b635f83cefb38/start.sh && \ diff --git a/apis/config/v1alpha1/zz_generated.deepcopy.go b/apis/config/v1alpha1/zz_generated.deepcopy.go index 2df3903752c..75babe05f76 100644 --- a/apis/config/v1alpha1/zz_generated.deepcopy.go +++ b/apis/config/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/apis/expansion/unversioned/zz_generated.deepcopy.go b/apis/expansion/unversioned/zz_generated.deepcopy.go index 3cd1633496d..4d789857276 100644 --- a/apis/expansion/unversioned/zz_generated.deepcopy.go +++ b/apis/expansion/unversioned/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/apis/expansion/v1alpha1/zz_generated.deepcopy.go b/apis/expansion/v1alpha1/zz_generated.deepcopy.go index d44b368c3a1..678a47e3720 100644 --- a/apis/expansion/v1alpha1/zz_generated.deepcopy.go +++ b/apis/expansion/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/apis/expansion/v1beta1/zz_generated.deepcopy.go b/apis/expansion/v1beta1/zz_generated.deepcopy.go index 6ae018f2d27..9a5a8ab01e0 100644 --- a/apis/expansion/v1beta1/zz_generated.deepcopy.go +++ b/apis/expansion/v1beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/apis/mutations/unversioned/zz_generated.deepcopy.go b/apis/mutations/unversioned/zz_generated.deepcopy.go index 0b0c3a9bb23..14932e0cbb7 100644 --- a/apis/mutations/unversioned/zz_generated.deepcopy.go +++ b/apis/mutations/unversioned/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/apis/mutations/v1/zz_generated.deepcopy.go b/apis/mutations/v1/zz_generated.deepcopy.go index fc732100f53..659053c8820 100644 --- a/apis/mutations/v1/zz_generated.deepcopy.go +++ b/apis/mutations/v1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/apis/mutations/v1alpha1/zz_generated.deepcopy.go b/apis/mutations/v1alpha1/zz_generated.deepcopy.go index 274942c8825..2598e5a3527 100644 --- a/apis/mutations/v1alpha1/zz_generated.deepcopy.go +++ b/apis/mutations/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/apis/mutations/v1beta1/zz_generated.deepcopy.go b/apis/mutations/v1beta1/zz_generated.deepcopy.go index 50ef1e24539..7ac11182c3e 100644 --- a/apis/mutations/v1beta1/zz_generated.deepcopy.go +++ b/apis/mutations/v1beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/apis/status/v1beta1/zz_generated.deepcopy.go b/apis/status/v1beta1/zz_generated.deepcopy.go index 5a42224d349..c361b6cdd9a 100644 --- a/apis/status/v1beta1/zz_generated.deepcopy.go +++ b/apis/status/v1beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/apis/syncset/v1alpha1/zz_generated.deepcopy.go b/apis/syncset/v1alpha1/zz_generated.deepcopy.go index f3e663e93e0..af4e96c6165 100644 --- a/apis/syncset/v1alpha1/zz_generated.deepcopy.go +++ b/apis/syncset/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/build/tooling/Dockerfile b/build/tooling/Dockerfile index c5124a2d806..4a16fc563e4 100644 --- a/build/tooling/Dockerfile +++ b/build/tooling/Dockerfile @@ -1,7 +1,7 @@ -FROM golang:1.21-bullseye@sha256:47fa179d4966a0950485ede2ef81567bb1cf62e1e87af07e9830e5c928d06cd0 +FROM golang:1.22-bookworm@sha256:d996c645c9934e770e64f05fc2bc103755197b43fd999b3aa5419142e1ee6d78 -RUN GO111MODULE=on go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.10.0 -RUN GO111MODULE=on go install k8s.io/code-generator/cmd/conversion-gen@v0.25.4 +RUN GO111MODULE=on go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.14.0 +RUN GO111MODULE=on go install k8s.io/code-generator/cmd/conversion-gen@v0.29.3 RUN mkdir /gatekeeper WORKDIR /gatekeeper diff --git a/config/crd/bases/_.yaml b/config/crd/bases/_.yaml index 25f6032cf97..597bc60f700 100644 --- a/config/crd/bases/_.yaml +++ b/config/crd/bases/_.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 spec: group: "" names: diff --git a/config/crd/bases/config.gatekeeper.sh_configs.yaml b/config/crd/bases/config.gatekeeper.sh_configs.yaml index aa870f987de..ddd2f55394f 100644 --- a/config/crd/bases/config.gatekeeper.sh_configs.yaml +++ b/config/crd/bases/config.gatekeeper.sh_configs.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: configs.config.gatekeeper.sh spec: group: config.gatekeeper.sh @@ -21,14 +20,19 @@ spec: description: Config is the Schema for the configs API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -41,11 +45,10 @@ spec: properties: excludedNamespaces: items: - description: 'A string that supports globbing at its front - and end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array diff --git a/config/crd/bases/expansion.gatekeeper.sh_expansiontemplate.yaml b/config/crd/bases/expansion.gatekeeper.sh_expansiontemplate.yaml index e9a9298cb20..ded7d078046 100644 --- a/config/crd/bases/expansion.gatekeeper.sh_expansiontemplate.yaml +++ b/config/crd/bases/expansion.gatekeeper.sh_expansiontemplate.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: expansiontemplate.expansion.gatekeeper.sh spec: group: expansion.gatekeeper.sh @@ -21,14 +20,19 @@ spec: description: ExpansionTemplate is the Schema for the ExpansionTemplate API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -36,11 +40,13 @@ spec: description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds - of generator resources which will be expanded. + description: |- + ApplyTo lists the specific groups, versions and kinds of generator resources + which will be expanded. items: - description: ApplyTo determines what GVKs items the mutation should - apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -57,14 +63,15 @@ spec: type: object type: array enforcementAction: - description: EnforcementAction specifies the enforcement action to - be used for resources matching the ExpansionTemplate. Specifying - an empty value will use the enforcement action specified by the - Constraint in violation. + description: |- + EnforcementAction specifies the enforcement action to be used for resources + matching the ExpansionTemplate. Specifying an empty value will use the + enforcement action specified by the Constraint in violation. type: string generatedGVK: - description: GeneratedGVK specifies the GVK of the resources which - the generator resource creates. + description: |- + GeneratedGVK specifies the GVK of the resources which the generator + resource creates. properties: group: type: string @@ -74,9 +81,10 @@ spec: type: string type: object templateSource: - description: TemplateSource specifies the source field on the generator - resource to use as the base for expanded resource. For Pod-creating - generators, this is usually spec.template + description: |- + TemplateSource specifies the source field on the generator resource to + use as the base for expanded resource. For Pod-creating generators, this + is usually spec.template type: string type: object status: @@ -110,10 +118,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including - UUIDs. Because we don't ONLY use UUIDs, this is an alias - to string. Being a type captures intent and helps make sure - that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: array @@ -129,14 +137,19 @@ spec: description: ExpansionTemplate is the Schema for the ExpansionTemplate API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -144,11 +157,13 @@ spec: description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds - of generator resources which will be expanded. + description: |- + ApplyTo lists the specific groups, versions and kinds of generator resources + which will be expanded. items: - description: ApplyTo determines what GVKs items the mutation should - apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -165,14 +180,15 @@ spec: type: object type: array enforcementAction: - description: EnforcementAction specifies the enforcement action to - be used for resources matching the ExpansionTemplate. Specifying - an empty value will use the enforcement action specified by the - Constraint in violation. + description: |- + EnforcementAction specifies the enforcement action to be used for resources + matching the ExpansionTemplate. Specifying an empty value will use the + enforcement action specified by the Constraint in violation. type: string generatedGVK: - description: GeneratedGVK specifies the GVK of the resources which - the generator resource creates. + description: |- + GeneratedGVK specifies the GVK of the resources which the generator + resource creates. properties: group: type: string @@ -182,9 +198,10 @@ spec: type: string type: object templateSource: - description: TemplateSource specifies the source field on the generator - resource to use as the base for expanded resource. For Pod-creating - generators, this is usually spec.template + description: |- + TemplateSource specifies the source field on the generator resource to + use as the base for expanded resource. For Pod-creating generators, this + is usually spec.template type: string type: object status: @@ -218,10 +235,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including - UUIDs. Because we don't ONLY use UUIDs, this is an alias - to string. Being a type captures intent and helps make sure - that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: array diff --git a/config/crd/bases/match.gatekeeper.sh_matchcrd.yaml b/config/crd/bases/match.gatekeeper.sh_matchcrd.yaml index e504c6069fe..6d73bc161de 100644 --- a/config/crd/bases/match.gatekeeper.sh_matchcrd.yaml +++ b/config/crd/bases/match.gatekeeper.sh_matchcrd.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: matchcrd.match.gatekeeper.sh spec: group: match.gatekeeper.sh @@ -18,45 +17,50 @@ spec: - name: match schema: openAPIV3Schema: - description: DummyCRD is a "dummy" CRD to hold the Match object, which we - ultimately need to generate JSONSchemaProps. The TypeMeta and ObjectMeta - fields are required for controller-gen to generate the CRD. + description: |- + DummyCRD is a "dummy" CRD to hold the Match object, which we ultimately + need to generate JSONSchemaProps. The TypeMeta and ObjectMeta fields are + required for controller-gen to generate the CRD. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string embeddedMatch: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If - defined, a constraint only applies to resources not in a listed - namespace. ExcludedNamespaces also supports a prefix or suffix based - glob. For example, `excludedNamespaces: [kube-*]` matches both - `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` - matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. - Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" - will match "kube-system" or "gatekeeper-system", "*system*" will - match "system-kube" or "kube-system". The asterisk is required - for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and - kinds fields that list the groups/kinds of objects to which the - mutation will apply. If multiple groups/kinds objects are specified, + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of the - slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -67,35 +71,36 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: - `matchLabels` and `matchExpressions`. These two fields provide - different methods of selecting or excluding k8s objects based on - the label keys and values included in object metadata. All selection - expressions from both sections are ANDed to determine if an object - meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -108,47 +113,47 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will - match against objects with the specified name. Name also supports - a prefix or suffix glob. For example, `name: pod-*` would match - both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` - and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's - containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -161,38 +166,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, - a constraint only applies to resources in a listed namespace. Namespaces - also supports a prefix or suffix based glob. For example, `namespaces: - [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: - [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. - Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" - will match "kube-system" or "gatekeeper-system", "*system*" will - match "system-kube" or "kube-system". The asterisk is required - for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped - resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. - (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources - are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). - A value of `Generated` will only match generated resources, while - `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -200,9 +206,12 @@ spec: type: string type: object kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadataDummy: type: object diff --git a/config/crd/bases/mutations.gatekeeper.sh_assign.yaml b/config/crd/bases/mutations.gatekeeper.sh_assign.yaml index 60b2e470db8..79d7b866d8d 100644 --- a/config/crd/bases/mutations.gatekeeper.sh_assign.yaml +++ b/config/crd/bases/mutations.gatekeeper.sh_assign.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: assign.mutations.gatekeeper.sh spec: group: mutations.gatekeeper.sh @@ -21,14 +20,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -36,13 +40,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds - a mutation will be applied to. This is necessary because every mutation - implies part of an object schema and object schemas are associated - with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should - apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -63,38 +68,40 @@ spec: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. - Individual match criteria are AND-ed together. An undefined match - criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. - If defined, a constraint only applies to resources not in a - listed namespace. ExcludedNamespaces also supports a prefix - or suffix based glob. For example, `excludedNamespaces: [kube-*]` - matches both `kube-system` and `kube-public`, and `excludedNamespaces: - [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups - and kinds fields that list the groups/kinds of objects to - which the mutation will apply. If multiple groups/kinds objects - are specified, only one match is needed for the resource to - be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -105,36 +112,37 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional - fields: `matchLabels` and `matchExpressions`. These two fields - provide different methods of selecting or excluding k8s objects - based on the label keys and values included in object metadata. All - selection expressions from both sections are ANDed to determine - if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -146,49 +154,48 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will - match against objects with the specified name. Name also supports - a prefix or suffix glob. For example, `name: pod-*` would match - both `pod-a` and `pod-b`, and `name: *-pod` would match both - `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an - object's containing namespace or the object itself, if the object - is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -200,38 +207,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, - a constraint only applies to resources in a listed namespace. Namespaces - also supports a prefix or suffix based glob. For example, `namespaces: - [kube-*]` matches both `kube-system` and `kube-public`, and - `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped - resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. - (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources - are matched. Accepts `Generated`|`Original`|`All` (defaults - to `All`). A value of `Generated` will only match generated - resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -250,22 +258,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the - data that will be sent to the external data provider - as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use - when the external data provider returns an error and - the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply - when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -293,15 +302,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the - mutation works if parent paths are missing. It traverses the - list in order. All sub paths are tested against the provided - condition, if the test fails, the mutation is not applied. - All `subPath` entries must be a prefix of `location`. Any + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to - expand the matching glob in `location`. \n Available Tests: - * MustExist - the path must exist or do not mutate * MustNotExist - - the path must not exist or do not mutate." + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either @@ -334,9 +346,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error - for use by controller code. If not present, the error - should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -345,9 +357,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, - such as when a mutator has been recreated after its CRD was - deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -370,14 +383,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -385,13 +403,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds - a mutation will be applied to. This is necessary because every mutation - implies part of an object schema and object schemas are associated - with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should - apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -412,38 +431,40 @@ spec: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. - Individual match criteria are AND-ed together. An undefined match - criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. - If defined, a constraint only applies to resources not in a - listed namespace. ExcludedNamespaces also supports a prefix - or suffix based glob. For example, `excludedNamespaces: [kube-*]` - matches both `kube-system` and `kube-public`, and `excludedNamespaces: - [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups - and kinds fields that list the groups/kinds of objects to - which the mutation will apply. If multiple groups/kinds objects - are specified, only one match is needed for the resource to - be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -454,36 +475,37 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional - fields: `matchLabels` and `matchExpressions`. These two fields - provide different methods of selecting or excluding k8s objects - based on the label keys and values included in object metadata. All - selection expressions from both sections are ANDed to determine - if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -495,49 +517,48 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will - match against objects with the specified name. Name also supports - a prefix or suffix glob. For example, `name: pod-*` would match - both `pod-a` and `pod-b`, and `name: *-pod` would match both - `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an - object's containing namespace or the object itself, if the object - is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -549,38 +570,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, - a constraint only applies to resources in a listed namespace. Namespaces - also supports a prefix or suffix based glob. For example, `namespaces: - [kube-*]` matches both `kube-system` and `kube-public`, and - `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped - resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. - (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources - are matched. Accepts `Generated`|`Original`|`All` (defaults - to `All`). A value of `Generated` will only match generated - resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -599,22 +621,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the - data that will be sent to the external data provider - as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use - when the external data provider returns an error and - the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply - when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -642,15 +665,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the - mutation works if parent paths are missing. It traverses the - list in order. All sub paths are tested against the provided - condition, if the test fails, the mutation is not applied. - All `subPath` entries must be a prefix of `location`. Any + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to - expand the matching glob in `location`. \n Available Tests: - * MustExist - the path must exist or do not mutate * MustNotExist - - the path must not exist or do not mutate." + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either @@ -683,9 +709,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error - for use by controller code. If not present, the error - should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -694,9 +720,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, - such as when a mutator has been recreated after its CRD was - deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -719,14 +746,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -734,13 +766,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds - a mutation will be applied to. This is necessary because every mutation - implies part of an object schema and object schemas are associated - with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should - apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -761,38 +794,40 @@ spec: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. - Individual match criteria are AND-ed together. An undefined match - criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. - If defined, a constraint only applies to resources not in a - listed namespace. ExcludedNamespaces also supports a prefix - or suffix based glob. For example, `excludedNamespaces: [kube-*]` - matches both `kube-system` and `kube-public`, and `excludedNamespaces: - [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups - and kinds fields that list the groups/kinds of objects to - which the mutation will apply. If multiple groups/kinds objects - are specified, only one match is needed for the resource to - be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -803,36 +838,37 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional - fields: `matchLabels` and `matchExpressions`. These two fields - provide different methods of selecting or excluding k8s objects - based on the label keys and values included in object metadata. All - selection expressions from both sections are ANDed to determine - if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -844,49 +880,48 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will - match against objects with the specified name. Name also supports - a prefix or suffix glob. For example, `name: pod-*` would match - both `pod-a` and `pod-b`, and `name: *-pod` would match both - `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an - object's containing namespace or the object itself, if the object - is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -898,38 +933,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, - a constraint only applies to resources in a listed namespace. Namespaces - also supports a prefix or suffix based glob. For example, `namespaces: - [kube-*]` matches both `kube-system` and `kube-public`, and - `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped - resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. - (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources - are matched. Accepts `Generated`|`Original`|`All` (defaults - to `All`). A value of `Generated` will only match generated - resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -948,22 +984,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the - data that will be sent to the external data provider - as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use - when the external data provider returns an error and - the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply - when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -991,15 +1028,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the - mutation works if parent paths are missing. It traverses the - list in order. All sub paths are tested against the provided - condition, if the test fails, the mutation is not applied. - All `subPath` entries must be a prefix of `location`. Any + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to - expand the matching glob in `location`. \n Available Tests: - * MustExist - the path must exist or do not mutate * MustNotExist - - the path must not exist or do not mutate." + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either @@ -1032,9 +1072,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error - for use by controller code. If not present, the error - should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -1043,9 +1083,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, - such as when a mutator has been recreated after its CRD was - deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/config/crd/bases/mutations.gatekeeper.sh_assignimage.yaml b/config/crd/bases/mutations.gatekeeper.sh_assignimage.yaml index 85d4d58be8e..a5138099014 100644 --- a/config/crd/bases/mutations.gatekeeper.sh_assignimage.yaml +++ b/config/crd/bases/mutations.gatekeeper.sh_assignimage.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: assignimage.mutations.gatekeeper.sh spec: group: mutations.gatekeeper.sh @@ -21,14 +20,19 @@ spec: description: AssignImage is the Schema for the assignimage API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -36,13 +40,14 @@ spec: description: AssignImageSpec defines the desired state of AssignImage. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds - a mutation will be applied to. This is necessary because every mutation - implies part of an object schema and object schemas are associated - with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should - apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -63,38 +68,40 @@ spec: `spec.containers[name: main].image`.' type: string match: - description: Match allows the user to limit which resources get mutated. - Individual match criteria are AND-ed together. An undefined match - criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. - If defined, a constraint only applies to resources not in a - listed namespace. ExcludedNamespaces also supports a prefix - or suffix based glob. For example, `excludedNamespaces: [kube-*]` - matches both `kube-system` and `kube-public`, and `excludedNamespaces: - [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups - and kinds fields that list the groups/kinds of objects to - which the mutation will apply. If multiple groups/kinds objects - are specified, only one match is needed for the resource to - be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -105,36 +112,37 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional - fields: `matchLabels` and `matchExpressions`. These two fields - provide different methods of selecting or excluding k8s objects - based on the label keys and values included in object metadata. All - selection expressions from both sections are ANDed to determine - if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -146,49 +154,48 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will - match against objects with the specified name. Name also supports - a prefix or suffix glob. For example, `name: pod-*` would match - both `pod-a` and `pod-b`, and `name: *-pod` would match both - `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an - object's containing namespace or the object itself, if the object - is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -200,38 +207,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, - a constraint only applies to resources in a listed namespace. Namespaces - also supports a prefix or suffix based glob. For example, `namespaces: - [kube-*]` matches both `kube-system` and `kube-public`, and - `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped - resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. - (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources - are matched. Accepts `Generated`|`Original`|`All` (defaults - to `All`). A value of `Generated` will only match generated - resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -242,28 +250,33 @@ spec: description: Parameters define the behavior of the mutator. properties: assignDomain: - description: AssignDomain sets the domain component on an image - string. The trailing slash should not be included. + description: |- + AssignDomain sets the domain component on an image string. The trailing + slash should not be included. type: string assignPath: description: AssignPath sets the domain component on an image string. type: string assignTag: - description: AssignImage sets the image component on an image - string. It must start with a `:` or `@`. + description: |- + AssignImage sets the image component on an image string. It must start + with a `:` or `@`. type: string pathTests: items: - description: "PathTest allows the user to customize how the - mutation works if parent paths are missing. It traverses the - list in order. All sub paths are tested against the provided - condition, if the test fails, the mutation is not applied. - All `subPath` entries must be a prefix of `location`. Any + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to - expand the matching glob in `location`. \n Available Tests: - * MustExist - the path must exist or do not mutate * MustNotExist - - the path must not exist or do not mutate." + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either @@ -296,9 +309,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error - for use by controller code. If not present, the error - should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -307,9 +320,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, - such as when a mutator has been recreated after its CRD was - deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/config/crd/bases/mutations.gatekeeper.sh_assignmetadata.yaml b/config/crd/bases/mutations.gatekeeper.sh_assignmetadata.yaml index 5d2883032c1..86ecb660c26 100644 --- a/config/crd/bases/mutations.gatekeeper.sh_assignmetadata.yaml +++ b/config/crd/bases/mutations.gatekeeper.sh_assignmetadata.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: assignmetadata.mutations.gatekeeper.sh spec: group: mutations.gatekeeper.sh @@ -21,14 +20,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -41,33 +45,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. - If defined, a constraint only applies to resources not in a - listed namespace. ExcludedNamespaces also supports a prefix - or suffix based glob. For example, `excludedNamespaces: [kube-*]` - matches both `kube-system` and `kube-public`, and `excludedNamespaces: - [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups - and kinds fields that list the groups/kinds of objects to - which the mutation will apply. If multiple groups/kinds objects - are specified, only one match is needed for the resource to - be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -78,36 +83,37 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional - fields: `matchLabels` and `matchExpressions`. These two fields - provide different methods of selecting or excluding k8s objects - based on the label keys and values included in object metadata. All - selection expressions from both sections are ANDed to determine - if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -119,49 +125,48 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will - match against objects with the specified name. Name also supports - a prefix or suffix glob. For example, `name: pod-*` would match - both `pod-a` and `pod-b`, and `name: *-pod` would match both - `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an - object's containing namespace or the object itself, if the object - is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -173,38 +178,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, - a constraint only applies to resources in a listed namespace. Namespaces - also supports a prefix or suffix based glob. For example, `namespaces: - [kube-*]` matches both `kube-system` and `kube-public`, and - `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped - resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. - (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources - are matched. Accepts `Generated`|`Original`|`All` (defaults - to `All`). A value of `Generated` will only match generated - resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -222,22 +228,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the - data that will be sent to the external data provider - as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use - when the external data provider returns an error and - the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply - when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -269,9 +276,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. @@ -286,9 +293,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error - for use by controller code. If not present, the error - should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -297,9 +304,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, - such as when a mutator has been recreated after its CRD was - deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -322,14 +330,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -342,33 +355,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. - If defined, a constraint only applies to resources not in a - listed namespace. ExcludedNamespaces also supports a prefix - or suffix based glob. For example, `excludedNamespaces: [kube-*]` - matches both `kube-system` and `kube-public`, and `excludedNamespaces: - [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups - and kinds fields that list the groups/kinds of objects to - which the mutation will apply. If multiple groups/kinds objects - are specified, only one match is needed for the resource to - be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -379,36 +393,37 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional - fields: `matchLabels` and `matchExpressions`. These two fields - provide different methods of selecting or excluding k8s objects - based on the label keys and values included in object metadata. All - selection expressions from both sections are ANDed to determine - if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -420,49 +435,48 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will - match against objects with the specified name. Name also supports - a prefix or suffix glob. For example, `name: pod-*` would match - both `pod-a` and `pod-b`, and `name: *-pod` would match both - `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an - object's containing namespace or the object itself, if the object - is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -474,38 +488,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, - a constraint only applies to resources in a listed namespace. Namespaces - also supports a prefix or suffix based glob. For example, `namespaces: - [kube-*]` matches both `kube-system` and `kube-public`, and - `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped - resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. - (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources - are matched. Accepts `Generated`|`Original`|`All` (defaults - to `All`). A value of `Generated` will only match generated - resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -523,22 +538,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the - data that will be sent to the external data provider - as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use - when the external data provider returns an error and - the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply - when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -570,9 +586,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. @@ -587,9 +603,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error - for use by controller code. If not present, the error - should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -598,9 +614,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, - such as when a mutator has been recreated after its CRD was - deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -623,14 +640,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -643,33 +665,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. - If defined, a constraint only applies to resources not in a - listed namespace. ExcludedNamespaces also supports a prefix - or suffix based glob. For example, `excludedNamespaces: [kube-*]` - matches both `kube-system` and `kube-public`, and `excludedNamespaces: - [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups - and kinds fields that list the groups/kinds of objects to - which the mutation will apply. If multiple groups/kinds objects - are specified, only one match is needed for the resource to - be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -680,36 +703,37 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional - fields: `matchLabels` and `matchExpressions`. These two fields - provide different methods of selecting or excluding k8s objects - based on the label keys and values included in object metadata. All - selection expressions from both sections are ANDed to determine - if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -721,49 +745,48 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will - match against objects with the specified name. Name also supports - a prefix or suffix glob. For example, `name: pod-*` would match - both `pod-a` and `pod-b`, and `name: *-pod` would match both - `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an - object's containing namespace or the object itself, if the object - is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -775,38 +798,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, - a constraint only applies to resources in a listed namespace. Namespaces - also supports a prefix or suffix based glob. For example, `namespaces: - [kube-*]` matches both `kube-system` and `kube-public`, and - `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped - resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. - (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources - are matched. Accepts `Generated`|`Original`|`All` (defaults - to `All`). A value of `Generated` will only match generated - resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -824,22 +848,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the - data that will be sent to the external data provider - as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use - when the external data provider returns an error and - the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply - when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -871,9 +896,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. @@ -888,9 +913,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error - for use by controller code. If not present, the error - should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -899,9 +924,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, - such as when a mutator has been recreated after its CRD was - deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/config/crd/bases/mutations.gatekeeper.sh_modifyset.yaml b/config/crd/bases/mutations.gatekeeper.sh_modifyset.yaml index 1c0c28b85e8..320894f6184 100644 --- a/config/crd/bases/mutations.gatekeeper.sh_modifyset.yaml +++ b/config/crd/bases/mutations.gatekeeper.sh_modifyset.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: modifyset.mutations.gatekeeper.sh spec: group: mutations.gatekeeper.sh @@ -18,18 +17,24 @@ spec: - name: v1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as + description: |- + ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -37,13 +42,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds - a mutation will be applied to. This is necessary because every mutation - implies part of an object schema and object schemas are associated - with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should - apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -64,38 +70,40 @@ spec: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. - Individual match criteria are AND-ed together. An undefined match - criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. - If defined, a constraint only applies to resources not in a - listed namespace. ExcludedNamespaces also supports a prefix - or suffix based glob. For example, `excludedNamespaces: [kube-*]` - matches both `kube-system` and `kube-public`, and `excludedNamespaces: - [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups - and kinds fields that list the groups/kinds of objects to - which the mutation will apply. If multiple groups/kinds objects - are specified, only one match is needed for the resource to - be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -106,36 +114,37 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional - fields: `matchLabels` and `matchExpressions`. These two fields - provide different methods of selecting or excluding k8s objects - based on the label keys and values included in object metadata. All - selection expressions from both sections are ANDed to determine - if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -147,49 +156,48 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will - match against objects with the specified name. Name also supports - a prefix or suffix glob. For example, `name: pod-*` would match - both `pod-a` and `pod-b`, and `name: *-pod` would match both - `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an - object's containing namespace or the object itself, if the object - is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -201,38 +209,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, - a constraint only applies to resources in a listed namespace. Namespaces - also supports a prefix or suffix based glob. For example, `namespaces: - [kube-*]` matches both `kube-system` and `kube-public`, and - `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped - resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. - (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources - are matched. Accepts `Generated`|`Original`|`All` (defaults - to `All`). A value of `Generated` will only match generated - resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -251,18 +260,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can - be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the - mutation works if parent paths are missing. It traverses the - list in order. All sub paths are tested against the provided - condition, if the test fails, the mutation is not applied. - All `subPath` entries must be a prefix of `location`. Any + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to - expand the matching glob in `location`. \n Available Tests: - * MustExist - the path must exist or do not mutate * MustNotExist - - the path must not exist or do not mutate." + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either @@ -300,9 +313,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error - for use by controller code. If not present, the error - should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -311,9 +324,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, - such as when a mutator has been recreated after its CRD was - deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -333,18 +347,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as + description: |- + ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -352,13 +372,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds - a mutation will be applied to. This is necessary because every mutation - implies part of an object schema and object schemas are associated - with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should - apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -379,38 +400,40 @@ spec: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. - Individual match criteria are AND-ed together. An undefined match - criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. - If defined, a constraint only applies to resources not in a - listed namespace. ExcludedNamespaces also supports a prefix - or suffix based glob. For example, `excludedNamespaces: [kube-*]` - matches both `kube-system` and `kube-public`, and `excludedNamespaces: - [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups - and kinds fields that list the groups/kinds of objects to - which the mutation will apply. If multiple groups/kinds objects - are specified, only one match is needed for the resource to - be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -421,36 +444,37 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional - fields: `matchLabels` and `matchExpressions`. These two fields - provide different methods of selecting or excluding k8s objects - based on the label keys and values included in object metadata. All - selection expressions from both sections are ANDed to determine - if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -462,49 +486,48 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will - match against objects with the specified name. Name also supports - a prefix or suffix glob. For example, `name: pod-*` would match - both `pod-a` and `pod-b`, and `name: *-pod` would match both - `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an - object's containing namespace or the object itself, if the object - is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -516,38 +539,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, - a constraint only applies to resources in a listed namespace. Namespaces - also supports a prefix or suffix based glob. For example, `namespaces: - [kube-*]` matches both `kube-system` and `kube-public`, and - `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped - resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. - (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources - are matched. Accepts `Generated`|`Original`|`All` (defaults - to `All`). A value of `Generated` will only match generated - resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -566,18 +590,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can - be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the - mutation works if parent paths are missing. It traverses the - list in order. All sub paths are tested against the provided - condition, if the test fails, the mutation is not applied. - All `subPath` entries must be a prefix of `location`. Any + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to - expand the matching glob in `location`. \n Available Tests: - * MustExist - the path must exist or do not mutate * MustNotExist - - the path must not exist or do not mutate." + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either @@ -615,9 +643,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error - for use by controller code. If not present, the error - should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -626,9 +654,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, - such as when a mutator has been recreated after its CRD was - deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -648,18 +677,24 @@ spec: - name: v1beta1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as + description: |- + ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -667,13 +702,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds - a mutation will be applied to. This is necessary because every mutation - implies part of an object schema and object schemas are associated - with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should - apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -694,38 +730,40 @@ spec: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. - Individual match criteria are AND-ed together. An undefined match - criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. - If defined, a constraint only applies to resources not in a - listed namespace. ExcludedNamespaces also supports a prefix - or suffix based glob. For example, `excludedNamespaces: [kube-*]` - matches both `kube-system` and `kube-public`, and `excludedNamespaces: - [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups - and kinds fields that list the groups/kinds of objects to - which the mutation will apply. If multiple groups/kinds objects - are specified, only one match is needed for the resource to - be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of - the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -736,36 +774,37 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional - fields: `matchLabels` and `matchExpressions`. These two fields - provide different methods of selecting or excluding k8s objects - based on the label keys and values included in object metadata. All - selection expressions from both sections are ANDed to determine - if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -777,49 +816,48 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will - match against objects with the specified name. Name also supports - a prefix or suffix glob. For example, `name: pod-*` would match - both `pod-a` and `pod-b`, and `name: *-pod` would match both - `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an - object's containing namespace or the object itself, if the object - is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -831,38 +869,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, - a constraint only applies to resources in a listed namespace. Namespaces - also supports a prefix or suffix based glob. For example, `namespaces: - [kube-*]` matches both `kube-system` and `kube-public`, and - `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and - end. Ex: "kube-*" will match "kube-system" or "kube-public", - "*-system" will match "kube-system" or "gatekeeper-system", - "*system*" will match "system-kube" or "kube-system". The - asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped - resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. - (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources - are matched. Accepts `Generated`|`Original`|`All` (defaults - to `All`). A value of `Generated` will only match generated - resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -881,18 +920,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can - be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the - mutation works if parent paths are missing. It traverses the - list in order. All sub paths are tested against the provided - condition, if the test fails, the mutation is not applied. - All `subPath` entries must be a prefix of `location`. Any + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to - expand the matching glob in `location`. \n Available Tests: - * MustExist - the path must exist or do not mutate * MustNotExist - - the path must not exist or do not mutate." + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either @@ -930,9 +973,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error - for use by controller code. If not present, the error - should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -941,9 +984,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, - such as when a mutator has been recreated after its CRD was - deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/config/crd/bases/status.gatekeeper.sh_constraintpodstatuses.yaml b/config/crd/bases/status.gatekeeper.sh_constraintpodstatuses.yaml index fa7b9a1da46..f9678eb0f0a 100644 --- a/config/crd/bases/status.gatekeeper.sh_constraintpodstatuses.yaml +++ b/config/crd/bases/status.gatekeeper.sh_constraintpodstatuses.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: constraintpodstatuses.status.gatekeeper.sh spec: group: status.gatekeeper.sh @@ -22,14 +21,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -37,8 +41,9 @@ spec: description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. properties: constraintUID: - description: Storing the constraint UID allows us to detect drift, - such as when a constraint has been recreated after its CRD was deleted + description: |- + Storing the constraint UID allows us to detect drift, such as + when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch type: string enforced: diff --git a/config/crd/bases/status.gatekeeper.sh_constrainttemplatepodstatuses.yaml b/config/crd/bases/status.gatekeeper.sh_constrainttemplatepodstatuses.yaml index ca3cc7fd925..9030379a557 100644 --- a/config/crd/bases/status.gatekeeper.sh_constrainttemplatepodstatuses.yaml +++ b/config/crd/bases/status.gatekeeper.sh_constrainttemplatepodstatuses.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: constrainttemplatepodstatuses.status.gatekeeper.sh spec: group: status.gatekeeper.sh @@ -22,14 +21,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -65,10 +69,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including - UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being - a type captures intent and helps make sure that UIDs and names do - not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: object diff --git a/config/crd/bases/status.gatekeeper.sh_expansiontemplatepodstatuses.yaml b/config/crd/bases/status.gatekeeper.sh_expansiontemplatepodstatuses.yaml index 4335d45f5ca..18eb2b21385 100644 --- a/config/crd/bases/status.gatekeeper.sh_expansiontemplatepodstatuses.yaml +++ b/config/crd/bases/status.gatekeeper.sh_expansiontemplatepodstatuses.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: expansiontemplatepodstatuses.status.gatekeeper.sh spec: group: status.gatekeeper.sh @@ -22,14 +21,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -60,10 +64,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including - UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being - a type captures intent and helps make sure that UIDs and names do - not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: object diff --git a/config/crd/bases/status.gatekeeper.sh_mutatorpodstatuses.yaml b/config/crd/bases/status.gatekeeper.sh_mutatorpodstatuses.yaml index aee1905768b..6d9e9770821 100644 --- a/config/crd/bases/status.gatekeeper.sh_mutatorpodstatuses.yaml +++ b/config/crd/bases/status.gatekeeper.sh_mutatorpodstatuses.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: mutatorpodstatuses.status.gatekeeper.sh spec: group: status.gatekeeper.sh @@ -21,14 +20,19 @@ spec: description: MutatorPodStatus is the Schema for the mutationpodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -45,9 +49,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use - by controller code. If not present, the error should be treated - as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -56,9 +60,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such - as when a mutator has been recreated after its CRD was deleted out - from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/config/crd/bases/syncset.gatekeeper.sh_syncsets.yaml b/config/crd/bases/syncset.gatekeeper.sh_syncsets.yaml index 08ec5fc832e..2b1aa8978b0 100644 --- a/config/crd/bases/syncset.gatekeeper.sh_syncsets.yaml +++ b/config/crd/bases/syncset.gatekeeper.sh_syncsets.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: syncsets.syncset.gatekeeper.sh spec: group: syncset.gatekeeper.sh @@ -23,14 +22,19 @@ spec: defines the sets of resources that will be synced. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index a258338234b..f3416ee2060 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: manager-role rules: - apiGroups: @@ -178,7 +177,6 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - creationTimestamp: null name: manager-role namespace: gatekeeper-system rules: diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml index 107758db5c2..9c89134b2d5 100644 --- a/config/webhook/manifests.yaml +++ b/config/webhook/manifests.yaml @@ -2,7 +2,6 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - creationTimestamp: null name: mutating-webhook-configuration webhooks: - admissionReviewVersions: @@ -31,7 +30,6 @@ webhooks: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - creationTimestamp: null name: validating-webhook-configuration webhooks: - admissionReviewVersions: diff --git a/gator.Dockerfile b/gator.Dockerfile index 907c1b8f528..aac863f0285 100644 --- a/gator.Dockerfile +++ b/gator.Dockerfile @@ -1,5 +1,5 @@ ARG BUILDPLATFORM="linux/amd64" -ARG BUILDERIMAGE="golang:1.21-bullseye" +ARG BUILDERIMAGE="golang:1.22-bookworm" # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details ARG BASEIMAGE="gcr.io/distroless/static:nonroot" diff --git a/manifest_staging/charts/gatekeeper/crds/assign-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/assign-customresourcedefinition.yaml index 7a709aa9e93..9cdb88b82db 100644 --- a/manifest_staging/charts/gatekeeper/crds/assign-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/assign-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: assign.mutations.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -37,9 +46,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -59,21 +73,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -84,21 +117,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -110,29 +157,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -144,21 +208,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -176,17 +258,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -209,7 +297,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -239,7 +338,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -248,7 +349,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -271,10 +375,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -282,9 +395,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -304,21 +422,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -329,21 +466,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -355,29 +506,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -389,21 +557,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -421,17 +607,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -454,7 +646,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -484,7 +687,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -493,7 +698,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -516,10 +724,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -527,9 +744,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -549,21 +771,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -574,21 +815,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -600,29 +855,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -634,21 +906,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -666,17 +956,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -699,7 +995,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -729,7 +1036,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -738,7 +1047,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/manifest_staging/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml index a6ae2b75bc6..8a206ea3d50 100644 --- a/manifest_staging/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: assignimage.mutations.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: AssignImage is the Schema for the assignimage API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -37,9 +46,14 @@ spec: description: AssignImageSpec defines the desired state of AssignImage. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -59,21 +73,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -84,21 +117,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -110,29 +157,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -144,21 +208,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -169,17 +251,32 @@ spec: description: Parameters define the behavior of the mutator. properties: assignDomain: - description: AssignDomain sets the domain component on an image string. The trailing slash should not be included. + description: |- + AssignDomain sets the domain component on an image string. The trailing + slash should not be included. type: string assignPath: description: AssignPath sets the domain component on an image string. type: string assignTag: - description: AssignImage sets the image component on an image string. It must start with a `:` or `@`. + description: |- + AssignImage sets the image component on an image string. It must start + with a `:` or `@`. type: string pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -209,7 +306,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -218,7 +317,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/manifest_staging/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml index f3c4dca92fb..2c28c1c6d02 100644 --- a/manifest_staging/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: assignmetadata.mutations.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -42,18 +51,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -64,21 +89,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -90,29 +129,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -124,21 +180,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -155,17 +229,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -192,7 +272,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: @@ -205,7 +287,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -214,7 +298,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -237,10 +324,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -253,18 +349,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -275,21 +387,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -301,29 +427,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -335,21 +478,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -366,17 +527,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -403,7 +570,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: @@ -416,7 +585,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -425,7 +596,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -448,10 +622,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -464,18 +647,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -486,21 +685,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -512,29 +725,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -546,21 +776,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -577,17 +825,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -614,7 +868,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: @@ -627,7 +883,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -636,7 +894,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/manifest_staging/charts/gatekeeper/crds/config-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/config-customresourcedefinition.yaml index 36bb7d541b7..2842c926d05 100644 --- a/manifest_staging/charts/gatekeeper/crds/config-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/config-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: configs.config.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: Config is the Schema for the configs API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -38,7 +47,10 @@ spec: properties: excludedNamespaces: items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array diff --git a/manifest_staging/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml index c1e3199057d..566ac21f376 100644 --- a/manifest_staging/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: constraintpodstatuses.status.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: ConstraintPodStatus is the Schema for the constraintpodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -33,7 +42,10 @@ spec: description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. properties: constraintUID: - description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the constraint UID allows us to detect drift, such as + when a constraint has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string enforced: type: boolean diff --git a/manifest_staging/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml index 271572bd7e8..f6290d17f7a 100644 --- a/manifest_staging/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: constrainttemplatepodstatuses.status.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -58,7 +67,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: object diff --git a/manifest_staging/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml index 0452edb7761..f5838f6e50e 100644 --- a/manifest_staging/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: expansiontemplate.expansion.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: ExpansionTemplate is the Schema for the ExpansionTemplate API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -37,9 +46,13 @@ spec: description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + description: |- + ApplyTo lists the specific groups, versions and kinds of generator resources + which will be expanded. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -56,10 +69,15 @@ spec: type: object type: array enforcementAction: - description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + description: |- + EnforcementAction specifies the enforcement action to be used for resources + matching the ExpansionTemplate. Specifying an empty value will use the + enforcement action specified by the Constraint in violation. type: string generatedGVK: - description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + description: |- + GeneratedGVK specifies the GVK of the resources which the generator + resource creates. properties: group: type: string @@ -69,7 +87,10 @@ spec: type: string type: object templateSource: - description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + description: |- + TemplateSource specifies the source field on the generator resource to + use as the base for expanded resource. For Pod-creating generators, this + is usually spec.template type: string type: object status: @@ -101,7 +122,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: array @@ -117,10 +141,19 @@ spec: description: ExpansionTemplate is the Schema for the ExpansionTemplate API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -128,9 +161,13 @@ spec: description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + description: |- + ApplyTo lists the specific groups, versions and kinds of generator resources + which will be expanded. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -147,10 +184,15 @@ spec: type: object type: array enforcementAction: - description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + description: |- + EnforcementAction specifies the enforcement action to be used for resources + matching the ExpansionTemplate. Specifying an empty value will use the + enforcement action specified by the Constraint in violation. type: string generatedGVK: - description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + description: |- + GeneratedGVK specifies the GVK of the resources which the generator + resource creates. properties: group: type: string @@ -160,7 +202,10 @@ spec: type: string type: object templateSource: - description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + description: |- + TemplateSource specifies the source field on the generator resource to + use as the base for expanded resource. For Pod-creating generators, this + is usually spec.template type: string type: object status: @@ -192,7 +237,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: array diff --git a/manifest_staging/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml index 8f49b4c5f7f..004abaf343d 100644 --- a/manifest_staging/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/expansiontemplatepodstatus-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: expansiontemplatepodstatuses.status.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: ExpansionTemplatePodStatus is the Schema for the expansiontemplatepodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,7 +63,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: object diff --git a/manifest_staging/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml index 4ee2a39d106..188197df541 100644 --- a/manifest_staging/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: modifyset.mutations.gatekeeper.sh @@ -19,13 +19,24 @@ spec: - name: v1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + description: |- + ModifySet allows the user to modify non-keyed lists, such as + the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -37,9 +48,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -59,21 +75,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -84,21 +119,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -110,29 +159,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -144,21 +210,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -176,9 +260,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -212,7 +309,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -221,7 +320,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -241,13 +343,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + description: |- + ModifySet allows the user to modify non-keyed lists, such as + the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -255,9 +368,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -277,21 +395,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -302,21 +439,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -328,29 +479,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -362,21 +530,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -394,9 +580,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -430,7 +629,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -439,7 +640,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -459,13 +663,24 @@ spec: - name: v1beta1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + description: |- + ModifySet allows the user to modify non-keyed lists, such as + the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -473,9 +688,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -495,21 +715,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -520,21 +759,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -546,29 +799,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -580,21 +850,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -612,9 +900,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -648,7 +949,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -657,7 +960,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/manifest_staging/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml index fd6a0f6dea6..931e05e147a 100644 --- a/manifest_staging/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/mutatorpodstatus-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: mutatorpodstatuses.status.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: MutatorPodStatus is the Schema for the mutationpodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -41,7 +50,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -50,7 +61,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 diff --git a/manifest_staging/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml b/manifest_staging/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml index c5c51f9da4a..1ef7ce4154e 100644 --- a/manifest_staging/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml +++ b/manifest_staging/charts/gatekeeper/crds/syncset-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: syncsets.syncset.gatekeeper.sh @@ -22,10 +22,19 @@ spec: description: SyncSet defines which resources Gatekeeper will cache. The union of all SyncSets plus the syncOnly field of Gatekeeper's Config resource defines the sets of resources that will be synced. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml index 2693455e989..e41f96c9790 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml index 1018dcdb667..72d7513baaf 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - creationTimestamp: null labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index 53d0beb7d10..2e6fb85caf9 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -34,7 +34,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: assign.mutations.gatekeeper.sh @@ -54,10 +54,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -69,9 +78,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -91,21 +105,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -116,21 +149,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -142,29 +189,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -176,21 +240,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -208,17 +290,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -241,7 +329,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -271,7 +370,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -280,7 +381,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -303,10 +407,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -314,9 +427,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -336,21 +454,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -361,21 +498,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -387,29 +538,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -421,21 +589,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -453,17 +639,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -486,7 +678,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -516,7 +719,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -525,7 +730,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -548,10 +756,19 @@ spec: description: Assign is the Schema for the assign API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -559,9 +776,14 @@ spec: description: AssignSpec defines the desired state of Assign. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -581,21 +803,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -606,21 +847,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -632,29 +887,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -666,21 +938,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -698,17 +988,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -731,7 +1027,18 @@ spec: type: object pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -761,7 +1068,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -770,7 +1079,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -792,7 +1104,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: assignimage.mutations.gatekeeper.sh @@ -812,10 +1124,19 @@ spec: description: AssignImage is the Schema for the assignimage API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -827,9 +1148,14 @@ spec: description: AssignImageSpec defines the desired state of AssignImage. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -849,21 +1175,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -874,21 +1219,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -900,29 +1259,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -934,21 +1310,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -959,17 +1353,32 @@ spec: description: Parameters define the behavior of the mutator. properties: assignDomain: - description: AssignDomain sets the domain component on an image string. The trailing slash should not be included. + description: |- + AssignDomain sets the domain component on an image string. The trailing + slash should not be included. type: string assignPath: description: AssignPath sets the domain component on an image string. type: string assignTag: - description: AssignImage sets the image component on an image string. It must start with a `:` or `@`. + description: |- + AssignImage sets the image component on an image string. It must start + with a `:` or `@`. type: string pathTests: items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -999,7 +1408,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -1008,7 +1419,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -1030,7 +1444,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: assignmetadata.mutations.gatekeeper.sh @@ -1050,10 +1464,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -1070,18 +1493,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -1092,21 +1531,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1118,29 +1571,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1152,21 +1622,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -1183,17 +1671,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -1220,7 +1714,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: @@ -1233,7 +1729,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -1242,7 +1740,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -1265,10 +1766,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1281,18 +1791,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -1303,21 +1829,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1329,29 +1869,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1363,21 +1920,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -1394,17 +1969,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -1431,7 +2012,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: @@ -1444,7 +2027,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -1453,7 +2038,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -1476,10 +2064,19 @@ spec: description: AssignMetadata is the Schema for the assignmetadata API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1492,18 +2089,34 @@ spec: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -1514,21 +2127,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1540,29 +2167,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1574,21 +2218,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -1605,17 +2267,23 @@ spec: properties: dataSource: default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + description: |- + DataSource specifies where to extract the data that will be sent + to the external data provider as parameters. enum: - ValueAtLocation - Username type: string default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + description: |- + Default specifies the default value to use when the external data + provider returns an error and the failure policy is set to "UseDefault". type: string failurePolicy: default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + description: |- + FailurePolicy specifies the policy to apply when the external data + provider returns an error. enum: - UseDefault - Ignore @@ -1642,7 +2310,9 @@ spec: description: AssignMetadataStatus defines the observed state of AssignMetadata. properties: byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file items: description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: @@ -1655,7 +2325,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -1664,7 +2336,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -1686,7 +2361,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: configs.config.gatekeeper.sh @@ -1706,10 +2381,19 @@ spec: description: Config is the Schema for the configs API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1722,7 +2406,10 @@ spec: properties: excludedNamespaces: items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array @@ -1792,7 +2479,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: constraintpodstatuses.status.gatekeeper.sh @@ -1812,10 +2499,19 @@ spec: description: ConstraintPodStatus is the Schema for the constraintpodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1823,7 +2519,10 @@ spec: description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. properties: constraintUID: - description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the constraint UID allows us to detect drift, such as + when a constraint has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string enforced: type: boolean @@ -1860,7 +2559,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: constrainttemplatepodstatuses.status.gatekeeper.sh @@ -1880,10 +2579,19 @@ spec: description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1916,7 +2624,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: object @@ -2285,7 +2996,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: expansiontemplate.expansion.gatekeeper.sh @@ -2305,10 +3016,19 @@ spec: description: ExpansionTemplate is the Schema for the ExpansionTemplate API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -2320,9 +3040,13 @@ spec: description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + description: |- + ApplyTo lists the specific groups, versions and kinds of generator resources + which will be expanded. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -2339,10 +3063,15 @@ spec: type: object type: array enforcementAction: - description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + description: |- + EnforcementAction specifies the enforcement action to be used for resources + matching the ExpansionTemplate. Specifying an empty value will use the + enforcement action specified by the Constraint in violation. type: string generatedGVK: - description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + description: |- + GeneratedGVK specifies the GVK of the resources which the generator + resource creates. properties: group: type: string @@ -2352,7 +3081,10 @@ spec: type: string type: object templateSource: - description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + description: |- + TemplateSource specifies the source field on the generator resource to + use as the base for expanded resource. For Pod-creating generators, this + is usually spec.template type: string type: object status: @@ -2384,7 +3116,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: array @@ -2400,10 +3135,19 @@ spec: description: ExpansionTemplate is the Schema for the ExpansionTemplate API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -2411,9 +3155,13 @@ spec: description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + description: |- + ApplyTo lists the specific groups, versions and kinds of generator resources + which will be expanded. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -2430,10 +3178,15 @@ spec: type: object type: array enforcementAction: - description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + description: |- + EnforcementAction specifies the enforcement action to be used for resources + matching the ExpansionTemplate. Specifying an empty value will use the + enforcement action specified by the Constraint in violation. type: string generatedGVK: - description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + description: |- + GeneratedGVK specifies the GVK of the resources which the generator + resource creates. properties: group: type: string @@ -2443,7 +3196,10 @@ spec: type: string type: object templateSource: - description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + description: |- + TemplateSource specifies the source field on the generator resource to + use as the base for expanded resource. For Pod-creating generators, this + is usually spec.template type: string type: object status: @@ -2475,7 +3231,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: array @@ -2490,7 +3249,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: expansiontemplatepodstatuses.status.gatekeeper.sh @@ -2510,10 +3269,19 @@ spec: description: ExpansionTemplatePodStatus is the Schema for the expansiontemplatepodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -2542,7 +3310,10 @@ spec: type: string type: array templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. type: string type: object type: object @@ -2553,7 +3324,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: modifyset.mutations.gatekeeper.sh @@ -2570,13 +3341,24 @@ spec: - name: v1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + description: |- + ModifySet allows the user to modify non-keyed lists, such as + the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -2588,9 +3370,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -2610,21 +3397,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -2635,21 +3441,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2661,29 +3481,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2695,21 +3532,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -2727,9 +3582,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -2763,7 +3631,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -2772,7 +3642,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -2792,13 +3665,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + description: |- + ModifySet allows the user to modify non-keyed lists, such as + the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -2806,9 +3690,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -2828,21 +3717,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -2853,21 +3761,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2879,29 +3801,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2913,21 +3852,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -2945,9 +3902,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -2981,7 +3951,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -2990,7 +3962,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -3010,13 +3985,24 @@ spec: - name: v1beta1 schema: openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + description: |- + ModifySet allows the user to modify non-keyed lists, such as + the list of arguments to a container. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3024,9 +4010,14 @@ spec: description: ModifySetSpec defines the desired state of ModifySet. properties: applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + description: |- + ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. + This is necessary because every mutation implies part of an object schema and object + schemas are associated with specific GVKs. items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + description: |- + ApplyTo determines what GVKs items the mutation should apply to. + Globs are not allowed. properties: groups: items: @@ -3046,21 +4037,40 @@ spec: description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' type: string match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + description: |- + Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined + match criteria matches everything. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `excludedNamespaces: [kube-*]` matches both `kube-system` and + `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and + `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, + only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -3071,21 +4081,35 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `matchLabels` + and `matchExpressions`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3097,29 +4121,46 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3131,21 +4172,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both + `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both + `kube-system` and `gatekeeper-system`. items: - description: 'A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will match "system-kube" or "kube-system". The asterisk is required for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of + `Generated` will only match generated resources, while `Original` will only + match regular resources. enum: - All - Generated @@ -3163,9 +4222,22 @@ spec: - prune type: string pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied + description: |- + PathTests are a series of existence tests that can be checked + before a mutation is applied items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + description: |- + PathTest allows the user to customize how the mutation works if parent + paths are missing. It traverses the list in order. All sub paths are + tested against the provided condition, if the test fails, the mutation is + not applied. All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. + + + Available Tests: + * MustExist - the path must exist or do not mutate + * MustNotExist - the path must not exist or do not mutate. properties: condition: description: Condition describes whether the path either MustExist or MustNotExist in the original object @@ -3199,7 +4271,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -3208,7 +4282,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -3230,7 +4307,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: mutatorpodstatuses.status.gatekeeper.sh @@ -3250,10 +4327,19 @@ spec: description: MutatorPodStatus is the Schema for the mutationpodstatuses API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3269,7 +4355,9 @@ spec: message: type: string type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + description: |- + Type indicates a specific class of error for use by controller code. + If not present, the error should be treated as not matching any known type. type: string required: - message @@ -3278,7 +4366,10 @@ spec: id: type: string mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + description: |- + Storing the mutator UID allows us to detect drift, such as + when a mutator has been recreated after its CRD was deleted + out from under it, interrupting the watch type: string observedGeneration: format: int64 @@ -3375,7 +4466,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.14.0 labels: gatekeeper.sh/system: "yes" name: syncsets.syncset.gatekeeper.sh @@ -3395,10 +4486,19 @@ spec: description: SyncSet defines which resources Gatekeeper will cache. The union of all SyncSets plus the syncOnly field of Gatekeeper's Config resource defines the sets of resources that will be synced. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: properties: @@ -3435,7 +4535,6 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - creationTimestamp: null labels: gatekeeper.sh/system: "yes" name: gatekeeper-manager-role @@ -3464,7 +4563,6 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null labels: gatekeeper.sh/system: "yes" name: gatekeeper-manager-role diff --git a/pkg/mutation/match/zz_generated.deepcopy.go b/pkg/mutation/match/zz_generated.deepcopy.go index 26213f1e2d5..d06323b2094 100644 --- a/pkg/mutation/match/zz_generated.deepcopy.go +++ b/pkg/mutation/match/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/pkg/target/matchcrd_constant.go b/pkg/target/matchcrd_constant.go index a390668bd47..4bd13fd0dc6 100644 --- a/pkg/target/matchcrd_constant.go +++ b/pkg/target/matchcrd_constant.go @@ -9,8 +9,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: matchcrd.match.gatekeeper.sh spec: group: match.gatekeeper.sh @@ -24,45 +23,50 @@ spec: - name: match schema: openAPIV3Schema: - description: DummyCRD is a "dummy" CRD to hold the Match object, which we - ultimately need to generate JSONSchemaProps. The TypeMeta and ObjectMeta - fields are required for controller-gen to generate the CRD. + description: |- + DummyCRD is a "dummy" CRD to hold the Match object, which we ultimately + need to generate JSONSchemaProps. The TypeMeta and ObjectMeta fields are + required for controller-gen to generate the CRD. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string embeddedMatch: description: Match selects which objects are in scope. properties: excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If - defined, a constraint only applies to resources not in a listed - namespace. ExcludedNamespaces also supports a prefix or suffix based - glob. For example, `+"`"+`excludedNamespaces: [kube-*]`+"`"+` matches both - `+"`"+`kube-system`+"`"+` and `+"`"+`kube-public`+"`"+`, and `+"`"+`excludedNamespaces: [*-system]`+"`"+` - matches both `+"`"+`kube-system`+"`"+` and `+"`"+`gatekeeper-system`+"`"+`.' + description: |- + ExcludedNamespaces is a list of namespace names. If defined, a + constraint only applies to resources not in a listed namespace. + ExcludedNamespaces also supports a prefix or suffix based glob. For example, + `+"`"+`excludedNamespaces: [kube-*]`+"`"+` matches both `+"`"+`kube-system`+"`"+` and + `+"`"+`kube-public`+"`"+`, and `+"`"+`excludedNamespaces: [*-system]`+"`"+` matches both `+"`"+`kube-system`+"`"+` and + `+"`"+`gatekeeper-system`+"`"+`. items: - description: 'A string that supports globbing at its front and end. - Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" - will match "kube-system" or "gatekeeper-system", "*system*" will - match "system-kube" or "kube-system". The asterisk is required - for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array kinds: items: - description: Kinds accepts a list of objects with apiGroups and - kinds fields that list the groups/kinds of objects to which the - mutation will apply. If multiple groups/kinds objects are specified, + description: |- + Kinds accepts a list of objects with apiGroups and kinds fields + that list the groups/kinds of objects to which the mutation will apply. + If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. properties: apiGroups: - description: APIGroups is the API groups the resources belong - to. '*' is all groups. If '*' is present, the length of the - slice must be one. Required. + description: |- + APIGroups is the API groups the resources belong to. '*' is all groups. + If '*' is present, the length of the slice must be one. + Required. items: type: string type: array @@ -73,35 +77,36 @@ spec: type: object type: array labelSelector: - description: 'LabelSelector is the combination of two optional fields: - `+"`"+`matchLabels`+"`"+` and `+"`"+`matchExpressions`+"`"+`. These two fields provide - different methods of selecting or excluding k8s objects based on - the label keys and values included in object metadata. All selection - expressions from both sections are ANDed to determine if an object - meets the cumulative requirements of the selector.' + description: |- + LabelSelector is the combination of two optional fields: `+"`"+`matchLabels`+"`"+` + and `+"`"+`matchExpressions`+"`"+`. These two fields provide different methods of + selecting or excluding k8s objects based on the label keys and values + included in object metadata. All selection expressions from both + sections are ANDed to determine if an object meets the cumulative + requirements of the selector. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -114,47 +119,47 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic name: - description: 'Name is the name of an object. If defined, it will - match against objects with the specified name. Name also supports - a prefix or suffix glob. For example, `+"`"+`name: pod-*`+"`"+` would match - both `+"`"+`pod-a`+"`"+` and `+"`"+`pod-b`+"`"+`, and `+"`"+`name: *-pod`+"`"+` would match both `+"`"+`a-pod`+"`"+` - and `+"`"+`b-pod`+"`"+`.' + description: |- + Name is the name of an object. If defined, it will match against objects with the specified + name. Name also supports a prefix or suffix glob. For example, `+"`"+`name: pod-*`+"`"+` would match + both `+"`"+`pod-a`+"`"+` and `+"`"+`pod-b`+"`"+`, and `+"`"+`name: *-pod`+"`"+` would match both `+"`"+`a-pod`+"`"+` and `+"`"+`b-pod`+"`"+`. pattern: ^\*?[-:a-z0-9]*\*?$ type: string namespaceSelector: - description: NamespaceSelector is a label selector against an object's - containing namespace or the object itself, if the object is a namespace. + description: |- + NamespaceSelector is a label selector against an object's containing + namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -167,38 +172,39 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: - description: 'Namespaces is a list of namespace names. If defined, - a constraint only applies to resources in a listed namespace. Namespaces - also supports a prefix or suffix based glob. For example, `+"`"+`namespaces: - [kube-*]`+"`"+` matches both `+"`"+`kube-system`+"`"+` and `+"`"+`kube-public`+"`"+`, and `+"`"+`namespaces: - [*-system]`+"`"+` matches both `+"`"+`kube-system`+"`"+` and `+"`"+`gatekeeper-system`+"`"+`.' + description: |- + Namespaces is a list of namespace names. If defined, a constraint only + applies to resources in a listed namespace. Namespaces also supports a + prefix or suffix based glob. For example, `+"`"+`namespaces: [kube-*]`+"`"+` matches both + `+"`"+`kube-system`+"`"+` and `+"`"+`kube-public`+"`"+`, and `+"`"+`namespaces: [*-system]`+"`"+` matches both + `+"`"+`kube-system`+"`"+` and `+"`"+`gatekeeper-system`+"`"+`. items: - description: 'A string that supports globbing at its front and end. - Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" - will match "kube-system" or "gatekeeper-system", "*system*" will - match "system-kube" or "kube-system". The asterisk is required - for wildcard matching.' + description: |- + A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or + "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will + match "system-kube" or "kube-system". The asterisk is required for wildcard matching. pattern: ^\*?[-:a-z0-9]*\*?$ type: string type: array scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped - resources are matched. Accepts `+"`"+`*`+"`"+`, `+"`"+`Cluster`+"`"+`, or `+"`"+`Namespaced`+"`"+`. - (defaults to `+"`"+`*`+"`"+`) + description: |- + Scope determines if cluster-scoped and/or namespaced-scoped resources + are matched. Accepts `+"`"+`*`+"`"+`, `+"`"+`Cluster`+"`"+`, or `+"`"+`Namespaced`+"`"+`. (defaults to `+"`"+`*`+"`"+`) type: string source: - description: Source determines whether generated or original resources - are matched. Accepts `+"`"+`Generated`+"`"+`|`+"`"+`Original`+"`"+`|`+"`"+`All`+"`"+` (defaults to `+"`"+`All`+"`"+`). - A value of `+"`"+`Generated`+"`"+` will only match generated resources, while - `+"`"+`Original`+"`"+` will only match regular resources. + description: |- + Source determines whether generated or original resources are matched. + Accepts `+"`"+`Generated`+"`"+`|`+"`"+`Original`+"`"+`|`+"`"+`All`+"`"+` (defaults to `+"`"+`All`+"`"+`). A value of + `+"`"+`Generated`+"`"+` will only match generated resources, while `+"`"+`Original`+"`"+` will only + match regular resources. enum: - All - Generated @@ -206,9 +212,12 @@ spec: type: string type: object kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadataDummy: type: object diff --git a/test/externaldata/dummy-provider/Dockerfile b/test/externaldata/dummy-provider/Dockerfile index 001880610c9..86daf931342 100644 --- a/test/externaldata/dummy-provider/Dockerfile +++ b/test/externaldata/dummy-provider/Dockerfile @@ -1,5 +1,5 @@ ARG BUILDPLATFORM="linux/amd64" -ARG BUILDERIMAGE="golang:1.21-bullseye" +ARG BUILDERIMAGE="golang:1.22-bookworm" ARG BASEIMAGE="gcr.io/distroless/static:nonroot" FROM --platform=$BUILDPLATFORM $BUILDERIMAGE as builder diff --git a/test/image/Dockerfile b/test/image/Dockerfile index 293ce9bec9e..fb6b26a36c1 100644 --- a/test/image/Dockerfile +++ b/test/image/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.21-bullseye@sha256:47fa179d4966a0950485ede2ef81567bb1cf62e1e87af07e9830e5c928d06cd0 as builder +FROM golang:1.22-bullseye@sha256:d996c645c9934e770e64f05fc2bc103755197b43fd999b3aa5419142e1ee6d78 as builder ARG BATS_VERSION ARG ORAS_VERSION diff --git a/test/pubsub/fake-subscriber/Dockerfile b/test/pubsub/fake-subscriber/Dockerfile index fa389e7c05d..74a77f7528e 100644 --- a/test/pubsub/fake-subscriber/Dockerfile +++ b/test/pubsub/fake-subscriber/Dockerfile @@ -1,5 +1,5 @@ ARG BUILDPLATFORM="linux/amd64" -ARG BUILDERIMAGE="golang:1.21-bullseye" +ARG BUILDERIMAGE="golang:1.22-bookworm" ARG BASEIMAGE="gcr.io/distroless/static:nonroot" FROM --platform=$BUILDPLATFORM $BUILDERIMAGE as builder