1 - FlowSchema

FlowSchema defines the schema of a group of flows.

apiVersion: flowcontrol.apiserver.k8s.io/v1

import "k8s.io/api/flowcontrol/v1"

FlowSchema

FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher".


FlowSchemaSpec

FlowSchemaSpec describes how the FlowSchema's specification looks like.


  • distinguisherMethod (FlowDistinguisherMethod)

    distinguisherMethod defines how to compute the flow distinguisher for requests that match this schema. nil specifies that the distinguisher is disabled and thus will always be the empty string.

    FlowDistinguisherMethod specifies the method of a flow distinguisher.

    • distinguisherMethod.type (string), required

      type is the type of flow distinguisher method The supported types are "ByUser" and "ByNamespace". Required.

  • matchingPrecedence (int32)

    matchingPrecedence is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.

  • priorityLevelConfiguration (PriorityLevelConfigurationReference), required

    priorityLevelConfiguration should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required.

    PriorityLevelConfigurationReference contains information that points to the "request-priority" being used.

    • priorityLevelConfiguration.name (string), required

      name is the name of the priority level configuration being referenced Required.

  • rules ([]PolicyRulesWithSubjects)

    Atomic: will be replaced during a merge

    rules describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.

    PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.

    • rules.subjects ([]Subject), required

      Atomic: will be replaced during a merge

      subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.

      Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.

      • rules.subjects.kind (string), required

        kind indicates which one of the other fields is non-empty. Required

      • rules.subjects.group (GroupSubject)

        group matches based on user group name.

        GroupSubject holds detailed information for group-kind subject.

      • rules.subjects.serviceAccount (ServiceAccountSubject)

        serviceAccount matches ServiceAccounts.

        ServiceAccountSubject holds detailed information for service-account-kind subject.

        • rules.subjects.serviceAccount.name (string), required

          name is the name of matching ServiceAccount objects, or "*" to match regardless of name. Required.

        • rules.subjects.serviceAccount.namespace (string), required

          namespace is the namespace of matching ServiceAccount objects. Required.

      • rules.subjects.user (UserSubject)

        user matches based on username.

        UserSubject holds detailed information for user-kind subject.

        • rules.subjects.user.name (string), required

          name is the username that matches, or "*" to match all usernames. Required.

    • rules.nonResourceRules ([]NonResourcePolicyRule)

      Atomic: will be replaced during a merge

      nonResourceRules is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.

      NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.

      • rules.nonResourceRules.nonResourceURLs ([]string), required

        Set: unique values will be kept during a merge

        nonResourceURLs is a set of url prefixes that a user should have access to and may not be empty. For example:

        • "/healthz" is legal
        • "/hea*" is illegal
        • "/hea" is legal but matches nothing
        • "/hea/*" also matches nothing
        • "/healthz/" matches all per-component health checks. "" matches all non-resource urls. if it is present, it must be the only entry. Required.
      • rules.nonResourceRules.verbs ([]string), required

        Set: unique values will be kept during a merge

        verbs is a list of matching verbs and may not be empty. "*" matches all verbs. If it is present, it must be the only entry. Required.

    • rules.resourceRules ([]ResourcePolicyRule)

      Atomic: will be replaced during a merge

      resourceRules is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of resourceRules and nonResourceRules has to be non-empty.

      ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., Namespace=="") and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.

      • rules.resourceRules.apiGroups ([]string), required

        Set: unique values will be kept during a merge

        apiGroups is a list of matching API groups and may not be empty. "*" matches all API groups and, if present, must be the only entry. Required.

      • rules.resourceRules.resources ([]string), required

        Set: unique values will be kept during a merge

        resources is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ "services", "nodes/status" ]. This list may not be empty. "*" matches all resources and, if present, must be the only entry. Required.

      • rules.resourceRules.verbs ([]string), required

        Set: unique values will be kept during a merge

        verbs is a list of matching verbs and may not be empty. "*" matches all verbs and, if present, must be the only entry. Required.

      • rules.resourceRules.clusterScope (boolean)

        clusterScope indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the namespaces field must contain a non-empty list.

      • rules.resourceRules.namespaces ([]string)

        Set: unique values will be kept during a merge

        namespaces is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains "". Note that "" matches any specified namespace but does not match a request that does not specify a namespace (see the clusterScope field for that). This list may be empty, but only if clusterScope is true.

FlowSchemaStatus

FlowSchemaStatus represents the current state of a FlowSchema.


  • conditions ([]FlowSchemaCondition)

    Patch strategy: merge on key type

    Map: unique values on key type will be kept during a merge

    conditions is a list of the current states of FlowSchema.

    FlowSchemaCondition describes conditions for a FlowSchema.

    • conditions.lastTransitionTime (Time)

      lastTransitionTime is the last time the condition transitioned from one status to another.

      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

    • conditions.message (string)

      message is a human-readable message indicating details about last transition.

    • conditions.reason (string)

      reason is a unique, one-word, CamelCase reason for the condition's last transition.

    • conditions.status (string)

      status is the status of the condition. Can be True, False, Unknown. Required.

    • conditions.type (string)

      type is the type of the condition. Required.

FlowSchemaList

FlowSchemaList is a list of FlowSchema objects.


Operations


get read the specified FlowSchema

HTTP Request

GET /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/{name}

Parameters

  • name (in path): string, required

    name of the FlowSchema

  • pretty (in query): string

    pretty

Response

200 (FlowSchema): OK

401: Unauthorized

get read status of the specified FlowSchema

HTTP Request

GET /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/{name}/status

Parameters

  • name (in path): string, required

    name of the FlowSchema

  • pretty (in query): string

    pretty

Response

200 (FlowSchema): OK

401: Unauthorized

list list or watch objects of kind FlowSchema

HTTP Request

GET /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas

Parameters

Response

200 (FlowSchemaList): OK

401: Unauthorized

create create a FlowSchema

HTTP Request

POST /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas

Parameters

Response

200 (FlowSchema): OK

201 (FlowSchema): Created

202 (FlowSchema): Accepted

401: Unauthorized

update replace the specified FlowSchema

HTTP Request

PUT /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/{name}

Parameters

Response

200 (FlowSchema): OK

201 (FlowSchema): Created

401: Unauthorized

update replace status of the specified FlowSchema

HTTP Request

PUT /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/{name}/status

Parameters

Response

200 (FlowSchema): OK

201 (FlowSchema): Created

401: Unauthorized

patch partially update the specified FlowSchema

HTTP Request

PATCH /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/{name}

Parameters

  • name (in path): string, required

    name of the FlowSchema

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (FlowSchema): OK

201 (FlowSchema): Created

401: Unauthorized

patch partially update status of the specified FlowSchema

HTTP Request

PATCH /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/{name}/status

Parameters

  • name (in path): string, required

    name of the FlowSchema

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (FlowSchema): OK

201 (FlowSchema): Created

401: Unauthorized

delete delete a FlowSchema

HTTP Request

DELETE /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of FlowSchema

HTTP Request

DELETE /apis/flowcontrol.apiserver.k8s.io/v1/flowschemas

Parameters

Response

200 (Status): OK

401: Unauthorized

2 - LimitRange

LimitRange sets resource usage limits for each kind of resource in a Namespace.

apiVersion: v1

import "k8s.io/api/core/v1"

LimitRange

LimitRange sets resource usage limits for each kind of resource in a Namespace.


LimitRangeSpec

LimitRangeSpec defines a min/max usage limit for resources that match on kind.


  • limits ([]LimitRangeItem), required

    Atomic: will be replaced during a merge

    Limits is the list of LimitRangeItem objects that are enforced.

    LimitRangeItem defines a min/max usage limit for any resource that matches on kind.

    • limits.type (string), required

      Type of resource that this limit applies to.

    • limits.default (map[string]Quantity)

      Default resource requirement limit value by resource name if resource limit is omitted.

    • limits.defaultRequest (map[string]Quantity)

      DefaultRequest is the default resource requirement request value by resource name if resource request is omitted.

    • limits.max (map[string]Quantity)

      Max usage constraints on this kind by resource name.

    • limits.maxLimitRequestRatio (map[string]Quantity)

      MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.

    • limits.min (map[string]Quantity)

      Min usage constraints on this kind by resource name.

LimitRangeList

LimitRangeList is a list of LimitRange items.


Operations


get read the specified LimitRange

HTTP Request

GET /api/v1/namespaces/{namespace}/limitranges/{name}

Parameters

  • name (in path): string, required

    name of the LimitRange

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (LimitRange): OK

401: Unauthorized

list list or watch objects of kind LimitRange

HTTP Request

GET /api/v1/namespaces/{namespace}/limitranges

Parameters

Response

200 (LimitRangeList): OK

401: Unauthorized

list list or watch objects of kind LimitRange

HTTP Request

GET /api/v1/limitranges

Parameters

Response

200 (LimitRangeList): OK

401: Unauthorized

create create a LimitRange

HTTP Request

POST /api/v1/namespaces/{namespace}/limitranges

Parameters

Response

200 (LimitRange): OK

201 (LimitRange): Created

202 (LimitRange): Accepted

401: Unauthorized

update replace the specified LimitRange

HTTP Request

PUT /api/v1/namespaces/{namespace}/limitranges/{name}

Parameters

Response

200 (LimitRange): OK

201 (LimitRange): Created

401: Unauthorized

patch partially update the specified LimitRange

HTTP Request

PATCH /api/v1/namespaces/{namespace}/limitranges/{name}

Parameters

  • name (in path): string, required

    name of the LimitRange

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (LimitRange): OK

201 (LimitRange): Created

401: Unauthorized

delete delete a LimitRange

HTTP Request

DELETE /api/v1/namespaces/{namespace}/limitranges/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of LimitRange

HTTP Request

DELETE /api/v1/namespaces/{namespace}/limitranges

Parameters

Response

200 (Status): OK

401: Unauthorized

3 - ResourceQuota

ResourceQuota sets aggregate quota restrictions enforced per namespace.

apiVersion: v1

import "k8s.io/api/core/v1"

ResourceQuota

ResourceQuota sets aggregate quota restrictions enforced per namespace


ResourceQuotaSpec

ResourceQuotaSpec defines the desired hard limits to enforce for Quota.


  • hard (map[string]Quantity)

    hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/

  • scopeSelector (ScopeSelector)

    scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.

    A scope selector represents the AND of the selectors represented by the scoped-resource selector requirements.

    • scopeSelector.matchExpressions ([]ScopedResourceSelectorRequirement)

      Atomic: will be replaced during a merge

      A list of scope selector requirements by scope of the resources.

      A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.

      • scopeSelector.matchExpressions.operator (string), required

        Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.

      • scopeSelector.matchExpressions.scopeName (string), required

        The name of the scope that the selector applies to.

      • scopeSelector.matchExpressions.values ([]string)

        Atomic: will be replaced during a merge

        An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

  • scopes ([]string)

    Atomic: will be replaced during a merge

    A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.

ResourceQuotaStatus

ResourceQuotaStatus defines the enforced hard limits and observed use.


ResourceQuotaList

ResourceQuotaList is a list of ResourceQuota items.


Operations


get read the specified ResourceQuota

HTTP Request

GET /api/v1/namespaces/{namespace}/resourcequotas/{name}

Parameters

  • name (in path): string, required

    name of the ResourceQuota

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (ResourceQuota): OK

401: Unauthorized

get read status of the specified ResourceQuota

HTTP Request

GET /api/v1/namespaces/{namespace}/resourcequotas/{name}/status

Parameters

  • name (in path): string, required

    name of the ResourceQuota

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (ResourceQuota): OK

401: Unauthorized

list list or watch objects of kind ResourceQuota

HTTP Request

GET /api/v1/namespaces/{namespace}/resourcequotas

Parameters

Response

200 (ResourceQuotaList): OK

401: Unauthorized

list list or watch objects of kind ResourceQuota

HTTP Request

GET /api/v1/resourcequotas

Parameters

Response

200 (ResourceQuotaList): OK

401: Unauthorized

create create a ResourceQuota

HTTP Request

POST /api/v1/namespaces/{namespace}/resourcequotas

Parameters

Response

200 (ResourceQuota): OK

201 (ResourceQuota): Created

202 (ResourceQuota): Accepted

401: Unauthorized

update replace the specified ResourceQuota

HTTP Request

PUT /api/v1/namespaces/{namespace}/resourcequotas/{name}

Parameters

Response

200 (ResourceQuota): OK

201 (ResourceQuota): Created

401: Unauthorized

update replace status of the specified ResourceQuota

HTTP Request

PUT /api/v1/namespaces/{namespace}/resourcequotas/{name}/status

Parameters

Response

200 (ResourceQuota): OK

201 (ResourceQuota): Created

401: Unauthorized

patch partially update the specified ResourceQuota

HTTP Request

PATCH /api/v1/namespaces/{namespace}/resourcequotas/{name}

Parameters

  • name (in path): string, required

    name of the ResourceQuota

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (ResourceQuota): OK

201 (ResourceQuota): Created

401: Unauthorized

patch partially update status of the specified ResourceQuota

HTTP Request

PATCH /api/v1/namespaces/{namespace}/resourcequotas/{name}/status

Parameters

  • name (in path): string, required

    name of the ResourceQuota

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (ResourceQuota): OK

201 (ResourceQuota): Created

401: Unauthorized

delete delete a ResourceQuota

HTTP Request

DELETE /api/v1/namespaces/{namespace}/resourcequotas/{name}

Parameters

Response

200 (ResourceQuota): OK

202 (ResourceQuota): Accepted

401: Unauthorized

deletecollection delete collection of ResourceQuota

HTTP Request

DELETE /api/v1/namespaces/{namespace}/resourcequotas

Parameters

Response

200 (Status): OK

401: Unauthorized

4 - NetworkPolicy

NetworkPolicy describes what network traffic is allowed for a set of Pods.

apiVersion: networking.k8s.io/v1

import "k8s.io/api/networking/v1"

NetworkPolicy

NetworkPolicy describes what network traffic is allowed for a set of Pods


NetworkPolicySpec

NetworkPolicySpec provides the specification of a NetworkPolicy


  • podSelector (LabelSelector), required

    podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.

  • policyTypes ([]string)

    Atomic: will be replaced during a merge

    policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8

  • ingress ([]NetworkPolicyIngressRule)

    Atomic: will be replaced during a merge

    ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)

    NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.

    • ingress.from ([]NetworkPolicyPeer)

      Atomic: will be replaced during a merge

      from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.

      NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed

      • ingress.from.ipBlock (IPBlock)

        ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.

        IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.

        • ingress.from.ipBlock.cidr (string), required

          cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"

        • ingress.from.ipBlock.except ([]string)

          Atomic: will be replaced during a merge

          except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range

      • ingress.from.namespaceSelector (LabelSelector)

        namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

        If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.

      • ingress.from.podSelector (LabelSelector)

        podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

        If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace.

    • ingress.ports ([]NetworkPolicyPort)

      Atomic: will be replaced during a merge

      ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.

      NetworkPolicyPort describes a port to allow traffic on

      • ingress.ports.port (IntOrString)

        port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.

        IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.

      • ingress.ports.endPort (int32)

        endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.

      • ingress.ports.protocol (string)

        protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

  • egress ([]NetworkPolicyEgressRule)

    Atomic: will be replaced during a merge

    egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8

    NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8

    • egress.to ([]NetworkPolicyPeer)

      Atomic: will be replaced during a merge

      to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.

      NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed

      • egress.to.ipBlock (IPBlock)

        ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.

        IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.

        • egress.to.ipBlock.cidr (string), required

          cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"

        • egress.to.ipBlock.except ([]string)

          Atomic: will be replaced during a merge

          except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range

      • egress.to.namespaceSelector (LabelSelector)

        namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

        If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.

      • egress.to.podSelector (LabelSelector)

        podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

        If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace.

    • egress.ports ([]NetworkPolicyPort)

      Atomic: will be replaced during a merge

      ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.

      NetworkPolicyPort describes a port to allow traffic on

      • egress.ports.port (IntOrString)

        port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.

        IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.

      • egress.ports.endPort (int32)

        endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.

      • egress.ports.protocol (string)

        protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

NetworkPolicyList

NetworkPolicyList is a list of NetworkPolicy objects.


Operations


get read the specified NetworkPolicy

HTTP Request

GET /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}

Parameters

  • name (in path): string, required

    name of the NetworkPolicy

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (NetworkPolicy): OK

401: Unauthorized

list list or watch objects of kind NetworkPolicy

HTTP Request

GET /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies

Parameters

Response

200 (NetworkPolicyList): OK

401: Unauthorized

list list or watch objects of kind NetworkPolicy

HTTP Request

GET /apis/networking.k8s.io/v1/networkpolicies

Parameters

Response

200 (NetworkPolicyList): OK

401: Unauthorized

create create a NetworkPolicy

HTTP Request

POST /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies

Parameters

Response

200 (NetworkPolicy): OK

201 (NetworkPolicy): Created

202 (NetworkPolicy): Accepted

401: Unauthorized

update replace the specified NetworkPolicy

HTTP Request

PUT /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}

Parameters

Response

200 (NetworkPolicy): OK

201 (NetworkPolicy): Created

401: Unauthorized

patch partially update the specified NetworkPolicy

HTTP Request

PATCH /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}

Parameters

  • name (in path): string, required

    name of the NetworkPolicy

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (NetworkPolicy): OK

201 (NetworkPolicy): Created

401: Unauthorized

delete delete a NetworkPolicy

HTTP Request

DELETE /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of NetworkPolicy

HTTP Request

DELETE /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies

Parameters

Response

200 (Status): OK

401: Unauthorized

5 - PodDisruptionBudget

PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods.

apiVersion: policy/v1

import "k8s.io/api/policy/v1"

PodDisruptionBudget

PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods


PodDisruptionBudgetSpec

PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.


  • maxUnavailable (IntOrString)

    An eviction is allowed if at most "maxUnavailable" pods selected by "selector" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable".

    IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.

  • minAvailable (IntOrString)

    An eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying "100%".

    IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.

  • selector (LabelSelector)

    Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.

  • unhealthyPodEvictionPolicy (string)

    UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type="Ready",status="True".

    Valid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.

    IfHealthyBudget policy means that running pods (status.phase="Running"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.

    AlwaysAllow policy means that all running pods (status.phase="Running"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.

    Additional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.

    This field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).

PodDisruptionBudgetStatus

PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.


  • currentHealthy (int32), required

    current number of healthy pods

  • desiredHealthy (int32), required

    minimum desired number of healthy pods

  • disruptionsAllowed (int32), required

    Number of pod disruptions that are currently allowed.

  • expectedPods (int32), required

    total number of pods counted by this disruption budget

  • conditions ([]Condition)

    Patch strategy: merge on key type

    Map: unique values on key type will be kept during a merge

    Conditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute the number of allowed disruptions. Therefore no disruptions are allowed and the status of the condition will be False.

    • InsufficientPods: The number of pods are either at or below the number required by the PodDisruptionBudget. No disruptions are allowed and the status of the condition will be False.
    • SufficientPods: There are more pods than required by the PodDisruptionBudget. The condition will be True, and the number of allowed disruptions are provided by the disruptionsAllowed property.

    Condition contains details for one aspect of the current state of this API Resource.

    • conditions.lastTransitionTime (Time), required

      lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

    • conditions.message (string), required

      message is a human readable message indicating details about the transition. This may be an empty string.

    • conditions.reason (string), required

      reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

    • conditions.status (string), required

      status of the condition, one of True, False, Unknown.

    • conditions.type (string), required

      type of condition in CamelCase or in foo.example.com/CamelCase.

    • conditions.observedGeneration (int64)

      observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

  • disruptedPods (map[string]Time)

    DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.

    Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

  • observedGeneration (int64)

    Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.

PodDisruptionBudgetList

PodDisruptionBudgetList is a collection of PodDisruptionBudgets.


Operations


get read the specified PodDisruptionBudget

HTTP Request

GET /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}

Parameters

  • name (in path): string, required

    name of the PodDisruptionBudget

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (PodDisruptionBudget): OK

401: Unauthorized

get read status of the specified PodDisruptionBudget

HTTP Request

GET /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}/status

Parameters

  • name (in path): string, required

    name of the PodDisruptionBudget

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (PodDisruptionBudget): OK

401: Unauthorized

list list or watch objects of kind PodDisruptionBudget

HTTP Request

GET /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets

Parameters

Response

200 (PodDisruptionBudgetList): OK

401: Unauthorized

list list or watch objects of kind PodDisruptionBudget

HTTP Request

GET /apis/policy/v1/poddisruptionbudgets

Parameters

Response

200 (PodDisruptionBudgetList): OK

401: Unauthorized

create create a PodDisruptionBudget

HTTP Request

POST /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets

Parameters

Response

200 (PodDisruptionBudget): OK

201 (PodDisruptionBudget): Created

202 (PodDisruptionBudget): Accepted

401: Unauthorized

update replace the specified PodDisruptionBudget

HTTP Request

PUT /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}

Parameters

Response

200 (PodDisruptionBudget): OK

201 (PodDisruptionBudget): Created

401: Unauthorized

update replace status of the specified PodDisruptionBudget

HTTP Request

PUT /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}/status

Parameters

Response

200 (PodDisruptionBudget): OK

201 (PodDisruptionBudget): Created

401: Unauthorized

patch partially update the specified PodDisruptionBudget

HTTP Request

PATCH /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}

Parameters

  • name (in path): string, required

    name of the PodDisruptionBudget

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (PodDisruptionBudget): OK

201 (PodDisruptionBudget): Created

401: Unauthorized

patch partially update status of the specified PodDisruptionBudget

HTTP Request

PATCH /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}/status

Parameters

  • name (in path): string, required

    name of the PodDisruptionBudget

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (PodDisruptionBudget): OK

201 (PodDisruptionBudget): Created

401: Unauthorized

delete delete a PodDisruptionBudget

HTTP Request

DELETE /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of PodDisruptionBudget

HTTP Request

DELETE /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets

Parameters

Response

200 (Status): OK

401: Unauthorized

6 - PriorityLevelConfiguration

PriorityLevelConfiguration represents the configuration of a priority level.

apiVersion: flowcontrol.apiserver.k8s.io/v1

import "k8s.io/api/flowcontrol/v1"

PriorityLevelConfiguration

PriorityLevelConfiguration represents the configuration of a priority level.


PriorityLevelConfigurationSpec

PriorityLevelConfigurationSpec specifies the configuration of a priority level.


  • exempt (ExemptPriorityLevelConfiguration)

    exempt specifies how requests are handled for an exempt priority level. This field MUST be empty if type is "Limited". This field MAY be non-empty if type is "Exempt". If empty and type is "Exempt" then the default values for ExemptPriorityLevelConfiguration apply.

    ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the spec.

    • exempt.lendablePercent (int32)

      lendablePercent prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.

      LendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )

    • exempt.nominalConcurrencyShares (int32)

      nominalConcurrencyShares (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:

      NominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)

      Bigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.

  • limited (LimitedPriorityLevelConfiguration)

    limited specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if type is "Limited".

    *LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:

    • How are requests for this priority level limited?

    • What should be done with requests that exceed the limit?*

    • limited.borrowingLimitPercent (int32)

      borrowingLimitPercent, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.

      BorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )

      The value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left nil, the limit is effectively infinite.

    • limited.lendablePercent (int32)

      lendablePercent prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.

      LendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )

    • limited.limitResponse (LimitResponse)

      limitResponse indicates what to do with requests that can not be executed right now

      LimitResponse defines how to handle requests that can not be executed right now.

      • limited.limitResponse.type (string), required

        type is "Queue" or "Reject". "Queue" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. "Reject" means that requests that can not be executed upon arrival are rejected. Required.

      • limited.limitResponse.queuing (QueuingConfiguration)

        queuing holds the configuration parameters for queuing. This field may be non-empty only if type is "Queue".

        QueuingConfiguration holds the configuration parameters for queuing

        • limited.limitResponse.queuing.handSize (int32)

          handSize is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. handSize must be no larger than queues, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.

        • limited.limitResponse.queuing.queueLengthLimit (int32)

          queueLengthLimit is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.

        • limited.limitResponse.queuing.queues (int32)

          queues is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.

    • limited.nominalConcurrencyShares (int32)

      nominalConcurrencyShares (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:

      NominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)

      Bigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.

      If not specified, this field defaults to a value of 30.

      Setting this field to zero supports the construction of a "jail" for this priority level that is used to hold some request(s)

  • type (string), required

    type indicates whether this priority level is subject to limitation on request execution. A value of "Exempt" means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of "Limited" means that (a) requests of this priority level are subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.

PriorityLevelConfigurationStatus

PriorityLevelConfigurationStatus represents the current state of a "request-priority".


  • conditions ([]PriorityLevelConfigurationCondition)

    Patch strategy: merge on key type

    Map: unique values on key type will be kept during a merge

    conditions is the current state of "request-priority".

    PriorityLevelConfigurationCondition defines the condition of priority level.

    • conditions.lastTransitionTime (Time)

      lastTransitionTime is the last time the condition transitioned from one status to another.

      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

    • conditions.message (string)

      message is a human-readable message indicating details about last transition.

    • conditions.reason (string)

      reason is a unique, one-word, CamelCase reason for the condition's last transition.

    • conditions.status (string)

      status is the status of the condition. Can be True, False, Unknown. Required.

    • conditions.type (string)

      type is the type of the condition. Required.

PriorityLevelConfigurationList

PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.


Operations


get read the specified PriorityLevelConfiguration

HTTP Request

GET /apis/flowcontrol.apiserver.k8s.io/v1/prioritylevelconfigurations/{name}

Parameters

  • name (in path): string, required

    name of the PriorityLevelConfiguration

  • pretty (in query): string

    pretty

Response

200 (PriorityLevelConfiguration): OK

401: Unauthorized

get read status of the specified PriorityLevelConfiguration

HTTP Request

GET /apis/flowcontrol.apiserver.k8s.io/v1/prioritylevelconfigurations/{name}/status

Parameters

  • name (in path): string, required

    name of the PriorityLevelConfiguration

  • pretty (in query): string

    pretty

Response

200 (PriorityLevelConfiguration): OK

401: Unauthorized

list list or watch objects of kind PriorityLevelConfiguration

HTTP Request

GET /apis/flowcontrol.apiserver.k8s.io/v1/prioritylevelconfigurations

Parameters

Response

200 (PriorityLevelConfigurationList): OK

401: Unauthorized

create create a PriorityLevelConfiguration

HTTP Request

POST /apis/flowcontrol.apiserver.k8s.io/v1/prioritylevelconfigurations

Parameters

Response

200 (PriorityLevelConfiguration): OK

201 (PriorityLevelConfiguration): Created

202 (PriorityLevelConfiguration): Accepted

401: Unauthorized

update replace the specified PriorityLevelConfiguration

HTTP Request

PUT /apis/flowcontrol.apiserver.k8s.io/v1/prioritylevelconfigurations/{name}

Parameters

Response

200 (PriorityLevelConfiguration): OK

201 (PriorityLevelConfiguration): Created

401: Unauthorized

update replace status of the specified PriorityLevelConfiguration

HTTP Request

PUT /apis/flowcontrol.apiserver.k8s.io/v1/prioritylevelconfigurations/{name}/status

Parameters

Response

200 (PriorityLevelConfiguration): OK

201 (PriorityLevelConfiguration): Created

401: Unauthorized

patch partially update the specified PriorityLevelConfiguration

HTTP Request

PATCH /apis/flowcontrol.apiserver.k8s.io/v1/prioritylevelconfigurations/{name}

Parameters

  • name (in path): string, required

    name of the PriorityLevelConfiguration

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (PriorityLevelConfiguration): OK

201 (PriorityLevelConfiguration): Created

401: Unauthorized

patch partially update status of the specified PriorityLevelConfiguration

HTTP Request

PATCH /apis/flowcontrol.apiserver.k8s.io/v1/prioritylevelconfigurations/{name}/status

Parameters

  • name (in path): string, required

    name of the PriorityLevelConfiguration

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (PriorityLevelConfiguration): OK

201 (PriorityLevelConfiguration): Created

401: Unauthorized

delete delete a PriorityLevelConfiguration

HTTP Request

DELETE /apis/flowcontrol.apiserver.k8s.io/v1/prioritylevelconfigurations/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of PriorityLevelConfiguration

HTTP Request

DELETE /apis/flowcontrol.apiserver.k8s.io/v1/prioritylevelconfigurations

Parameters

Response

200 (Status): OK

401: Unauthorized

7 - ValidatingAdmissionPolicy

ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.

apiVersion: admissionregistration.k8s.io/v1

import "k8s.io/api/admissionregistration/v1"

ValidatingAdmissionPolicy

ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.


  • apiVersion: admissionregistration.k8s.io/v1

  • kind: ValidatingAdmissionPolicy

  • metadata (ObjectMeta)

    Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.

  • spec (ValidatingAdmissionPolicySpec)

    Specification of the desired behavior of the ValidatingAdmissionPolicy.

    ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.

    • spec.auditAnnotations ([]AuditAnnotation)

      Atomic: will be replaced during a merge

      auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.

      AuditAnnotation describes how to produce an audit annotation for an API request.

      • spec.auditAnnotations.key (string), required

        key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.

        The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}".

        If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.

        Required.

      • spec.auditAnnotations.valueExpression (string), required

        valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.

        If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.

        Required.

    • spec.failurePolicy (string)

      failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.

      A policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.

      failurePolicy does not define how validations that evaluate to false are handled.

      When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.

      Allowed values are Ignore or Fail. Defaults to Fail.

    • spec.matchConditions ([]MatchCondition)

      Patch strategy: merge on key name

      Map: unique values on key name will be kept during a merge

      MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

      If a parameter object is provided, it can be accessed via the params handle in the same manner as validation expressions.

      The exact matching logic is (in order):

      1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
      2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
      3. If any matchCondition evaluates to an error (but none are FALSE):
        • If failurePolicy=Fail, reject the request
        • If failurePolicy=Ignore, the policy is skipped

      MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.

      • spec.matchConditions.expression (string), required

        Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:

        'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/

        Required.

      • spec.matchConditions.name (string), required

        Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')

        Required.

    • spec.matchConstraints (MatchResources)

      MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches all Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required.

      MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)

      • spec.matchConstraints.excludeResourceRules ([]NamedRuleWithOperations)

        Atomic: will be replaced during a merge

        ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)

        NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.

        • spec.matchConstraints.excludeResourceRules.apiGroups ([]string)

          Atomic: will be replaced during a merge

          APIGroups is the API groups the resources belong to. '' is all groups. If '' is present, the length of the slice must be one. Required.

        • spec.matchConstraints.excludeResourceRules.apiVersions ([]string)

          Atomic: will be replaced during a merge

          APIVersions is the API versions the resources belong to. '' is all versions. If '' is present, the length of the slice must be one. Required.

        • spec.matchConstraints.excludeResourceRules.operations ([]string)

          Atomic: will be replaced during a merge

          Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.

        • spec.matchConstraints.excludeResourceRules.resourceNames ([]string)

          Atomic: will be replaced during a merge

          ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.

        • spec.matchConstraints.excludeResourceRules.resources ([]string)

          Atomic: will be replaced during a merge

          Resources is a list of resources this rule applies to.

          For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '' means all resources, but not subresources. 'pods/' means all subresources of pods. '/scale' means all scale subresources. '/*' means all resources and their subresources.

          If wildcard is present, the validation rule will ensure resources do not overlap with each other.

          Depending on the enclosing object, subresources might not be allowed. Required.

        • spec.matchConstraints.excludeResourceRules.scope (string)

          scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".

      • spec.matchConstraints.matchPolicy (string)

        matchPolicy defines how the "MatchResources" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".

        • Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"], a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.

        • Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"], a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.

        Defaults to "Equivalent"

      • spec.matchConstraints.namespaceSelector (LabelSelector)

        NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.

        For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] }

        If instead you want to only run the policy on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] }

        See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.

        Default to the empty LabelSelector, which matches everything.

      • spec.matchConstraints.objectSelector (LabelSelector)

        ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.

      • spec.matchConstraints.resourceRules ([]NamedRuleWithOperations)

        Atomic: will be replaced during a merge

        ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches any Rule.

        NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.

        • spec.matchConstraints.resourceRules.apiGroups ([]string)

          Atomic: will be replaced during a merge

          APIGroups is the API groups the resources belong to. '' is all groups. If '' is present, the length of the slice must be one. Required.

        • spec.matchConstraints.resourceRules.apiVersions ([]string)

          Atomic: will be replaced during a merge

          APIVersions is the API versions the resources belong to. '' is all versions. If '' is present, the length of the slice must be one. Required.

        • spec.matchConstraints.resourceRules.operations ([]string)

          Atomic: will be replaced during a merge

          Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.

        • spec.matchConstraints.resourceRules.resourceNames ([]string)

          Atomic: will be replaced during a merge

          ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.

        • spec.matchConstraints.resourceRules.resources ([]string)

          Atomic: will be replaced during a merge

          Resources is a list of resources this rule applies to.

          For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '' means all resources, but not subresources. 'pods/' means all subresources of pods. '/scale' means all scale subresources. '/*' means all resources and their subresources.

          If wildcard is present, the validation rule will ensure resources do not overlap with each other.

          Depending on the enclosing object, subresources might not be allowed. Required.

        • spec.matchConstraints.resourceRules.scope (string)

          scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".

    • spec.paramKind (ParamKind)

      ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.

      ParamKind is a tuple of Group Kind and Version.

      • spec.paramKind.apiVersion (string)

        APIVersion is the API group version the resources belong to. In format of "group/version". Required.

      • spec.paramKind.kind (string)

        Kind is the API kind the resources belong to. Required.

    • spec.validations ([]Validation)

      Atomic: will be replaced during a merge

      Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.

      Validation specifies the CEL expression which is used to apply the validation.

      • spec.validations.expression (string), required

        Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:

        • 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request(ref). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value. For example, a variable named 'foo' can be accessed as 'variables.foo'.
        • 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
        • 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource.

        The apiVersion, kind, metadata.name and metadata.generateName are always accessible from the root of the object. No other metadata properties are accessible.

        Only property names of the form [a-zA-Z_.-/][a-zA-Z0-9_.-/]* are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '' escapes to 'underscores' - '.' escapes to 'dot' - '-' escapes to 'dash' - '/' escapes to 'slash' - Property names that exactly match a CEL RESERVED keyword escape to '{keyword}__'. The keywords are: "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", "import", "let", "loop", "package", "namespace", "return". Examples:

        • Expression accessing a property named "namespace": {"Expression": "object.namespace > 0"}
        • Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
        • Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}

        Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:

        • 'set': X + Y performs a union where the array positions of all elements in X are preserved and non-intersecting elements in Y are appended, retaining their partial order.
        • 'map': X + Y performs a merge where the array positions of all keys in X are preserved but the values are overwritten by values in Y when the key sets of X and Y intersect. Elements in Y with non-intersecting keys are appended, retaining their partial order. Required.
      • spec.validations.message (string)

        Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is "failed rule: {Rule}". e.g. "must be a URL with the host matching spec.host" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is "failed Expression: {Expression}".

      • spec.validations.messageExpression (string)

        messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the expression except for 'authorizer' and 'authorizer.requestResource'. Example: "object.x must be less than max ("+string(params.max)+")"

      • spec.validations.reason (string)

        Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". If not set, StatusReasonInvalid is used in the response to the client.

    • spec.variables ([]Variable)

      Patch strategy: merge on key name

      Map: unique values on key name will be kept during a merge

      Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.

      The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

      Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.

      • spec.variables.expression (string), required

        Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.

      • spec.variables.name (string), required

        Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through variables For example, if name is "foo", the variable will be available as variables.foo

  • status (ValidatingAdmissionPolicyStatus)

    The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only.

    ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.

    • status.conditions ([]Condition)

      Map: unique values on key type will be kept during a merge

      The conditions represent the latest available observations of a policy's current state.

      Condition contains details for one aspect of the current state of this API Resource.

      • status.conditions.lastTransitionTime (Time), required

        lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

        Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

      • status.conditions.message (string), required

        message is a human readable message indicating details about the transition. This may be an empty string.

      • status.conditions.reason (string), required

        reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

      • status.conditions.status (string), required

        status of the condition, one of True, False, Unknown.

      • status.conditions.type (string), required

        type of condition in CamelCase or in foo.example.com/CamelCase.

      • status.conditions.observedGeneration (int64)

        observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

    • status.observedGeneration (int64)

      The generation observed by the controller.

    • status.typeChecking (TypeChecking)

      The results of type checking for each expression. Presence of this field indicates the completion of the type checking.

      TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy

      • status.typeChecking.expressionWarnings ([]ExpressionWarning)

        Atomic: will be replaced during a merge

        The type checking warnings for each expression.

        ExpressionWarning is a warning information that targets a specific expression.

        • status.typeChecking.expressionWarnings.fieldRef (string), required

          The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is "spec.validations[0].expression"

        • status.typeChecking.expressionWarnings.warning (string), required

          The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.

ValidatingAdmissionPolicyList

ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.


ValidatingAdmissionPolicyBinding

ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.

For a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.

The CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.


  • apiVersion (string)

    APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

  • kind (string)

    Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

  • metadata (ObjectMeta)

    Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.

  • spec (ValidatingAdmissionPolicyBindingSpec)

    Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.

    ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.

    • spec.matchResources (MatchResources)

      MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.

      MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)

      • spec.matchResources.excludeResourceRules ([]NamedRuleWithOperations)

        Atomic: will be replaced during a merge

        ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)

        NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.

        • spec.matchResources.excludeResourceRules.apiGroups ([]string)

          Atomic: will be replaced during a merge

          APIGroups is the API groups the resources belong to. '' is all groups. If '' is present, the length of the slice must be one. Required.

        • spec.matchResources.excludeResourceRules.apiVersions ([]string)

          Atomic: will be replaced during a merge

          APIVersions is the API versions the resources belong to. '' is all versions. If '' is present, the length of the slice must be one. Required.

        • spec.matchResources.excludeResourceRules.operations ([]string)

          Atomic: will be replaced during a merge

          Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.

        • spec.matchResources.excludeResourceRules.resourceNames ([]string)

          Atomic: will be replaced during a merge

          ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.

        • spec.matchResources.excludeResourceRules.resources ([]string)

          Atomic: will be replaced during a merge

          Resources is a list of resources this rule applies to.

          For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '' means all resources, but not subresources. 'pods/' means all subresources of pods. '/scale' means all scale subresources. '/*' means all resources and their subresources.

          If wildcard is present, the validation rule will ensure resources do not overlap with each other.

          Depending on the enclosing object, subresources might not be allowed. Required.

        • spec.matchResources.excludeResourceRules.scope (string)

          scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".

      • spec.matchResources.matchPolicy (string)

        matchPolicy defines how the "MatchResources" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".

        • Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"], a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.

        • Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"], a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.

        Defaults to "Equivalent"

      • spec.matchResources.namespaceSelector (LabelSelector)

        NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.

        For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] }

        If instead you want to only run the policy on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] }

        See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.

        Default to the empty LabelSelector, which matches everything.

      • spec.matchResources.objectSelector (LabelSelector)

        ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.

      • spec.matchResources.resourceRules ([]NamedRuleWithOperations)

        Atomic: will be replaced during a merge

        ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches any Rule.

        NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.

        • spec.matchResources.resourceRules.apiGroups ([]string)

          Atomic: will be replaced during a merge

          APIGroups is the API groups the resources belong to. '' is all groups. If '' is present, the length of the slice must be one. Required.

        • spec.matchResources.resourceRules.apiVersions ([]string)

          Atomic: will be replaced during a merge

          APIVersions is the API versions the resources belong to. '' is all versions. If '' is present, the length of the slice must be one. Required.

        • spec.matchResources.resourceRules.operations ([]string)

          Atomic: will be replaced during a merge

          Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.

        • spec.matchResources.resourceRules.resourceNames ([]string)

          Atomic: will be replaced during a merge

          ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.

        • spec.matchResources.resourceRules.resources ([]string)

          Atomic: will be replaced during a merge

          Resources is a list of resources this rule applies to.

          For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '' means all resources, but not subresources. 'pods/' means all subresources of pods. '/scale' means all scale subresources. '/*' means all resources and their subresources.

          If wildcard is present, the validation rule will ensure resources do not overlap with each other.

          Depending on the enclosing object, subresources might not be allowed. Required.

        • spec.matchResources.resourceRules.scope (string)

          scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".

    • spec.paramRef (ParamRef)

      paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.

      ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.

      • spec.paramRef.name (string)

        name is the name of the resource being referenced.

        One of name or selector must be set, but name and selector are mutually exclusive properties. If one is set, the other must be unset.

        A single parameter used for all admission requests can be configured by setting the name field, leaving selector blank, and setting namespace if paramKind is namespace-scoped.

      • spec.paramRef.namespace (string)

        namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both name and selector fields.

        A per-namespace parameter may be used by specifying a namespace-scoped paramKind in the policy and leaving this field empty.

        • If paramKind is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.

        • If paramKind is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.

      • spec.paramRef.parameterNotFoundAction (string)

        parameterNotFoundAction controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to Allow, then no matched parameters will be treated as successful validation by the binding. If set to Deny, then no matched parameters will be subject to the failurePolicy of the policy.

        Allowed values are Allow or Deny

        Required

      • spec.paramRef.selector (LabelSelector)

        selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.

        If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.

        One of name or selector must be set, but name and selector are mutually exclusive properties. If one is set, the other must be unset.

    • spec.policyName (string)

      PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.

    • spec.validationActions ([]string)

      Set: unique values will be kept during a merge

      validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.

      Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.

      validationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.

      The supported actions values are:

      "Deny" specifies that a validation failure results in a denied request.

      "Warn" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.

      "Audit" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a validation.policy.admission.k8s.io/validation_failure audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: "validation.policy.admission.k8s.io/validation_failure": "[{"message": "Invalid value", {"policy": "policy.example.com", {"binding": "policybinding.example.com", {"expressionIndex": "1", {"validationActions": ["Audit"]}]"

      Clients should expect to handle additional values by ignoring any values not recognized.

      "Deny" and "Warn" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.

      Required.

Operations


get read the specified ValidatingAdmissionPolicy

HTTP Request

GET /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicies/{name}

Parameters

  • name (in path): string, required

    name of the ValidatingAdmissionPolicy

  • pretty (in query): string

    pretty

Response

200 (ValidatingAdmissionPolicy): OK

401: Unauthorized

get read status of the specified ValidatingAdmissionPolicy

HTTP Request

GET /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicies/{name}/status

Parameters

  • name (in path): string, required

    name of the ValidatingAdmissionPolicy

  • pretty (in query): string

    pretty

Response

200 (ValidatingAdmissionPolicy): OK

401: Unauthorized

list list or watch objects of kind ValidatingAdmissionPolicy

HTTP Request

GET /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicies

Parameters

Response

200 (ValidatingAdmissionPolicyList): OK

401: Unauthorized

create create a ValidatingAdmissionPolicy

HTTP Request

POST /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicies

Parameters

Response

200 (ValidatingAdmissionPolicy): OK

201 (ValidatingAdmissionPolicy): Created

202 (ValidatingAdmissionPolicy): Accepted

401: Unauthorized

update replace the specified ValidatingAdmissionPolicy

HTTP Request

PUT /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicies/{name}

Parameters

Response

200 (ValidatingAdmissionPolicy): OK

201 (ValidatingAdmissionPolicy): Created

401: Unauthorized

update replace status of the specified ValidatingAdmissionPolicy

HTTP Request

PUT /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicies/{name}/status

Parameters

Response

200 (ValidatingAdmissionPolicy): OK

201 (ValidatingAdmissionPolicy): Created

401: Unauthorized

patch partially update the specified ValidatingAdmissionPolicy

HTTP Request

PATCH /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicies/{name}

Parameters

  • name (in path): string, required

    name of the ValidatingAdmissionPolicy

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (ValidatingAdmissionPolicy): OK

201 (ValidatingAdmissionPolicy): Created

401: Unauthorized

patch partially update status of the specified ValidatingAdmissionPolicy

HTTP Request

PATCH /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicies/{name}/status

Parameters

  • name (in path): string, required

    name of the ValidatingAdmissionPolicy

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (ValidatingAdmissionPolicy): OK

201 (ValidatingAdmissionPolicy): Created

401: Unauthorized

delete delete a ValidatingAdmissionPolicy

HTTP Request

DELETE /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicies/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of ValidatingAdmissionPolicy

HTTP Request

DELETE /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicies

Parameters

Response

200 (Status): OK

401: Unauthorized

8 - ValidatingAdmissionPolicyBinding

ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources.

apiVersion: admissionregistration.k8s.io/v1

import "k8s.io/api/admissionregistration/v1"

ValidatingAdmissionPolicyBinding

ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.

For a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.

The CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.


  • apiVersion: admissionregistration.k8s.io/v1

  • kind: ValidatingAdmissionPolicyBinding

  • metadata (ObjectMeta)

    Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.

  • spec (ValidatingAdmissionPolicyBindingSpec)

    Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.

    ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.

    • spec.matchResources (MatchResources)

      MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.

      MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)

      • spec.matchResources.excludeResourceRules ([]NamedRuleWithOperations)

        Atomic: will be replaced during a merge

        ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)

        NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.

        • spec.matchResources.excludeResourceRules.apiGroups ([]string)

          Atomic: will be replaced during a merge

          APIGroups is the API groups the resources belong to. '' is all groups. If '' is present, the length of the slice must be one. Required.

        • spec.matchResources.excludeResourceRules.apiVersions ([]string)

          Atomic: will be replaced during a merge

          APIVersions is the API versions the resources belong to. '' is all versions. If '' is present, the length of the slice must be one. Required.

        • spec.matchResources.excludeResourceRules.operations ([]string)

          Atomic: will be replaced during a merge

          Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.

        • spec.matchResources.excludeResourceRules.resourceNames ([]string)

          Atomic: will be replaced during a merge

          ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.

        • spec.matchResources.excludeResourceRules.resources ([]string)

          Atomic: will be replaced during a merge

          Resources is a list of resources this rule applies to.

          For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '' means all resources, but not subresources. 'pods/' means all subresources of pods. '/scale' means all scale subresources. '/*' means all resources and their subresources.

          If wildcard is present, the validation rule will ensure resources do not overlap with each other.

          Depending on the enclosing object, subresources might not be allowed. Required.

        • spec.matchResources.excludeResourceRules.scope (string)

          scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".

      • spec.matchResources.matchPolicy (string)

        matchPolicy defines how the "MatchResources" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".

        • Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"], a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.

        • Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"], a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.

        Defaults to "Equivalent"

      • spec.matchResources.namespaceSelector (LabelSelector)

        NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.

        For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] }

        If instead you want to only run the policy on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] }

        See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.

        Default to the empty LabelSelector, which matches everything.

      • spec.matchResources.objectSelector (LabelSelector)

        ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.

      • spec.matchResources.resourceRules ([]NamedRuleWithOperations)

        Atomic: will be replaced during a merge

        ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches any Rule.

        NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.

        • spec.matchResources.resourceRules.apiGroups ([]string)

          Atomic: will be replaced during a merge

          APIGroups is the API groups the resources belong to. '' is all groups. If '' is present, the length of the slice must be one. Required.

        • spec.matchResources.resourceRules.apiVersions ([]string)

          Atomic: will be replaced during a merge

          APIVersions is the API versions the resources belong to. '' is all versions. If '' is present, the length of the slice must be one. Required.

        • spec.matchResources.resourceRules.operations ([]string)

          Atomic: will be replaced during a merge

          Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.

        • spec.matchResources.resourceRules.resourceNames ([]string)

          Atomic: will be replaced during a merge

          ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.

        • spec.matchResources.resourceRules.resources ([]string)

          Atomic: will be replaced during a merge

          Resources is a list of resources this rule applies to.

          For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '' means all resources, but not subresources. 'pods/' means all subresources of pods. '/scale' means all scale subresources. '/*' means all resources and their subresources.

          If wildcard is present, the validation rule will ensure resources do not overlap with each other.

          Depending on the enclosing object, subresources might not be allowed. Required.

        • spec.matchResources.resourceRules.scope (string)

          scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".

    • spec.paramRef (ParamRef)

      paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.

      ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.

      • spec.paramRef.name (string)

        name is the name of the resource being referenced.

        One of name or selector must be set, but name and selector are mutually exclusive properties. If one is set, the other must be unset.

        A single parameter used for all admission requests can be configured by setting the name field, leaving selector blank, and setting namespace if paramKind is namespace-scoped.

      • spec.paramRef.namespace (string)

        namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both name and selector fields.

        A per-namespace parameter may be used by specifying a namespace-scoped paramKind in the policy and leaving this field empty.

        • If paramKind is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.

        • If paramKind is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.

      • spec.paramRef.parameterNotFoundAction (string)

        parameterNotFoundAction controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to Allow, then no matched parameters will be treated as successful validation by the binding. If set to Deny, then no matched parameters will be subject to the failurePolicy of the policy.

        Allowed values are Allow or Deny

        Required

      • spec.paramRef.selector (LabelSelector)

        selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.

        If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.

        One of name or selector must be set, but name and selector are mutually exclusive properties. If one is set, the other must be unset.

    • spec.policyName (string)

      PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.

    • spec.validationActions ([]string)

      Set: unique values will be kept during a merge

      validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.

      Failures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.

      validationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.

      The supported actions values are:

      "Deny" specifies that a validation failure results in a denied request.

      "Warn" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.

      "Audit" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a validation.policy.admission.k8s.io/validation_failure audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: "validation.policy.admission.k8s.io/validation_failure": "[{"message": "Invalid value", {"policy": "policy.example.com", {"binding": "policybinding.example.com", {"expressionIndex": "1", {"validationActions": ["Audit"]}]"

      Clients should expect to handle additional values by ignoring any values not recognized.

      "Deny" and "Warn" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.

      Required.

ValidatingAdmissionPolicy

ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.


  • apiVersion (string)

    APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

  • kind (string)

    Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

  • metadata (ObjectMeta)

    Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.

  • spec (ValidatingAdmissionPolicySpec)

    Specification of the desired behavior of the ValidatingAdmissionPolicy.

    ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.

    • spec.auditAnnotations ([]AuditAnnotation)

      Atomic: will be replaced during a merge

      auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.

      AuditAnnotation describes how to produce an audit annotation for an API request.

      • spec.auditAnnotations.key (string), required

        key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.

        The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}".

        If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.

        Required.

      • spec.auditAnnotations.valueExpression (string), required

        valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.

        If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.

        Required.

    • spec.failurePolicy (string)

      failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.

      A policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.

      failurePolicy does not define how validations that evaluate to false are handled.

      When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.

      Allowed values are Ignore or Fail. Defaults to Fail.

    • spec.matchConditions ([]MatchCondition)

      Patch strategy: merge on key name

      Map: unique values on key name will be kept during a merge

      MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

      If a parameter object is provided, it can be accessed via the params handle in the same manner as validation expressions.

      The exact matching logic is (in order):

      1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
      2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
      3. If any matchCondition evaluates to an error (but none are FALSE):
        • If failurePolicy=Fail, reject the request
        • If failurePolicy=Ignore, the policy is skipped

      MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.

      • spec.matchConditions.expression (string), required

        Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:

        'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/

        Required.

      • spec.matchConditions.name (string), required

        Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')

        Required.

    • spec.matchConstraints (MatchResources)

      MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches all Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required.

      MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)

      • spec.matchConstraints.excludeResourceRules ([]NamedRuleWithOperations)

        Atomic: will be replaced during a merge

        ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)

        NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.

        • spec.matchConstraints.excludeResourceRules.apiGroups ([]string)

          Atomic: will be replaced during a merge

          APIGroups is the API groups the resources belong to. '' is all groups. If '' is present, the length of the slice must be one. Required.

        • spec.matchConstraints.excludeResourceRules.apiVersions ([]string)

          Atomic: will be replaced during a merge

          APIVersions is the API versions the resources belong to. '' is all versions. If '' is present, the length of the slice must be one. Required.

        • spec.matchConstraints.excludeResourceRules.operations ([]string)

          Atomic: will be replaced during a merge

          Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.

        • spec.matchConstraints.excludeResourceRules.resourceNames ([]string)

          Atomic: will be replaced during a merge

          ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.

        • spec.matchConstraints.excludeResourceRules.resources ([]string)

          Atomic: will be replaced during a merge

          Resources is a list of resources this rule applies to.

          For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '' means all resources, but not subresources. 'pods/' means all subresources of pods. '/scale' means all scale subresources. '/*' means all resources and their subresources.

          If wildcard is present, the validation rule will ensure resources do not overlap with each other.

          Depending on the enclosing object, subresources might not be allowed. Required.

        • spec.matchConstraints.excludeResourceRules.scope (string)

          scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".

      • spec.matchConstraints.matchPolicy (string)

        matchPolicy defines how the "MatchResources" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".

        • Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"], a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.

        • Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"], a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.

        Defaults to "Equivalent"

      • spec.matchConstraints.namespaceSelector (LabelSelector)

        NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.

        For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "runlevel", "operator": "NotIn", "values": [ "0", "1" ] } ] }

        If instead you want to only run the policy on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { "matchExpressions": [ { "key": "environment", "operator": "In", "values": [ "prod", "staging" ] } ] }

        See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.

        Default to the empty LabelSelector, which matches everything.

      • spec.matchConstraints.objectSelector (LabelSelector)

        ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.

      • spec.matchConstraints.resourceRules ([]NamedRuleWithOperations)

        Atomic: will be replaced during a merge

        ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches any Rule.

        NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.

        • spec.matchConstraints.resourceRules.apiGroups ([]string)

          Atomic: will be replaced during a merge

          APIGroups is the API groups the resources belong to. '' is all groups. If '' is present, the length of the slice must be one. Required.

        • spec.matchConstraints.resourceRules.apiVersions ([]string)

          Atomic: will be replaced during a merge

          APIVersions is the API versions the resources belong to. '' is all versions. If '' is present, the length of the slice must be one. Required.

        • spec.matchConstraints.resourceRules.operations ([]string)

          Atomic: will be replaced during a merge

          Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.

        • spec.matchConstraints.resourceRules.resourceNames ([]string)

          Atomic: will be replaced during a merge

          ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.

        • spec.matchConstraints.resourceRules.resources ([]string)

          Atomic: will be replaced during a merge

          Resources is a list of resources this rule applies to.

          For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '' means all resources, but not subresources. 'pods/' means all subresources of pods. '/scale' means all scale subresources. '/*' means all resources and their subresources.

          If wildcard is present, the validation rule will ensure resources do not overlap with each other.

          Depending on the enclosing object, subresources might not be allowed. Required.

        • spec.matchConstraints.resourceRules.scope (string)

          scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".

    • spec.paramKind (ParamKind)

      ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.

      ParamKind is a tuple of Group Kind and Version.

      • spec.paramKind.apiVersion (string)

        APIVersion is the API group version the resources belong to. In format of "group/version". Required.

      • spec.paramKind.kind (string)

        Kind is the API kind the resources belong to. Required.

    • spec.validations ([]Validation)

      Atomic: will be replaced during a merge

      Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.

      Validation specifies the CEL expression which is used to apply the validation.

      • spec.validations.expression (string), required

        Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:

        • 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request(ref). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value. For example, a variable named 'foo' can be accessed as 'variables.foo'.
        • 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
        • 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the request resource.

        The apiVersion, kind, metadata.name and metadata.generateName are always accessible from the root of the object. No other metadata properties are accessible.

        Only property names of the form [a-zA-Z_.-/][a-zA-Z0-9_.-/]* are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '' escapes to 'underscores' - '.' escapes to 'dot' - '-' escapes to 'dash' - '/' escapes to 'slash' - Property names that exactly match a CEL RESERVED keyword escape to '{keyword}__'. The keywords are: "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if", "import", "let", "loop", "package", "namespace", "return". Examples:

        • Expression accessing a property named "namespace": {"Expression": "object.namespace > 0"}
        • Expression accessing a property named "x-prop": {"Expression": "object.x__dash__prop > 0"}
        • Expression accessing a property named "redact__d": {"Expression": "object.redact__underscores__d > 0"}

        Equality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:

        • 'set': X + Y performs a union where the array positions of all elements in X are preserved and non-intersecting elements in Y are appended, retaining their partial order.
        • 'map': X + Y performs a merge where the array positions of all keys in X are preserved but the values are overwritten by values in Y when the key sets of X and Y intersect. Elements in Y with non-intersecting keys are appended, retaining their partial order. Required.
      • spec.validations.message (string)

        Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is "failed rule: {Rule}". e.g. "must be a URL with the host matching spec.host" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is "failed Expression: {Expression}".

      • spec.validations.messageExpression (string)

        messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the expression except for 'authorizer' and 'authorizer.requestResource'. Example: "object.x must be less than max ("+string(params.max)+")"

      • spec.validations.reason (string)

        Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". If not set, StatusReasonInvalid is used in the response to the client.

    • spec.variables ([]Variable)

      Patch strategy: merge on key name

      Map: unique values on key name will be kept during a merge

      Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.

      The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

      Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.

      • spec.variables.expression (string), required

        Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.

      • spec.variables.name (string), required

        Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through variables For example, if name is "foo", the variable will be available as variables.foo

  • status (ValidatingAdmissionPolicyStatus)

    The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only.

    ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.

    • status.conditions ([]Condition)

      Map: unique values on key type will be kept during a merge

      The conditions represent the latest available observations of a policy's current state.

      Condition contains details for one aspect of the current state of this API Resource.

      • status.conditions.lastTransitionTime (Time), required

        lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

        Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

      • status.conditions.message (string), required

        message is a human readable message indicating details about the transition. This may be an empty string.

      • status.conditions.reason (string), required

        reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

      • status.conditions.status (string), required

        status of the condition, one of True, False, Unknown.

      • status.conditions.type (string), required

        type of condition in CamelCase or in foo.example.com/CamelCase.

      • status.conditions.observedGeneration (int64)

        observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

    • status.observedGeneration (int64)

      The generation observed by the controller.

    • status.typeChecking (TypeChecking)

      The results of type checking for each expression. Presence of this field indicates the completion of the type checking.

      TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy

      • status.typeChecking.expressionWarnings ([]ExpressionWarning)

        Atomic: will be replaced during a merge

        The type checking warnings for each expression.

        ExpressionWarning is a warning information that targets a specific expression.

        • status.typeChecking.expressionWarnings.fieldRef (string), required

          The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is "spec.validations[0].expression"

        • status.typeChecking.expressionWarnings.warning (string), required

          The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.

ValidatingAdmissionPolicyBindingList

ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.


Operations


get read the specified ValidatingAdmissionPolicyBinding

HTTP Request

GET /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicybindings/{name}

Parameters

  • name (in path): string, required

    name of the ValidatingAdmissionPolicyBinding

  • pretty (in query): string

    pretty

Response

200 (ValidatingAdmissionPolicyBinding): OK

401: Unauthorized

list list or watch objects of kind ValidatingAdmissionPolicyBinding

HTTP Request

GET /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicybindings

Parameters

Response

200 (ValidatingAdmissionPolicyBindingList): OK

401: Unauthorized

create create a ValidatingAdmissionPolicyBinding

HTTP Request

POST /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicybindings

Parameters

Response

200 (ValidatingAdmissionPolicyBinding): OK

201 (ValidatingAdmissionPolicyBinding): Created

202 (ValidatingAdmissionPolicyBinding): Accepted

401: Unauthorized

update replace the specified ValidatingAdmissionPolicyBinding

HTTP Request

PUT /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicybindings/{name}

Parameters

Response

200 (ValidatingAdmissionPolicyBinding): OK

201 (ValidatingAdmissionPolicyBinding): Created

401: Unauthorized

patch partially update the specified ValidatingAdmissionPolicyBinding

HTTP Request

PATCH /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicybindings/{name}

Parameters

  • name (in path): string, required

    name of the ValidatingAdmissionPolicyBinding

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • fieldValidation (in query): string

    fieldValidation

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (ValidatingAdmissionPolicyBinding): OK

201 (ValidatingAdmissionPolicyBinding): Created

401: Unauthorized

delete delete a ValidatingAdmissionPolicyBinding

HTTP Request

DELETE /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicybindings/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of ValidatingAdmissionPolicyBinding

HTTP Request

DELETE /apis/admissionregistration.k8s.io/v1/validatingadmissionpolicybindings

Parameters

Response

200 (Status): OK

401: Unauthorized