Resource Definitions

Custom Resource Definitions (CRDs) for Kyverno policies and other types.

Kyverno uses Kubernetes Custom Resource Definitions (CRDs) for policy definitions, policy reports, and other internal types.

The complete Kyverno CRD reference can be viewed here.

The HTML source is available in the Kyverno GitHub repository and generated from type definitions stored here.

kubectl explain

When operating in a Kubernetes cluster with Kyverno installed, you can always inspect Kyverno types natively using kubectl explain.

For example, this is the definition of a Kyverno Policy resource at policy.spec:

 1KIND:     Policy
 2VERSION:  kyverno.io/v1
 3
 4RESOURCE: spec <Object>
 5
 6DESCRIPTION:
 7     Spec defines policy behaviors and contains one or more rules.
 8
 9FIELDS:
10   background   <boolean>
11     Background controls if rules are applied to existing resources during a
12     background scan. Optional. Default value is "true". The value must be set
13     to "false" if the policy rule uses variables that are only available in the
14     admission review request (e.g. user name).
15
16   failurePolicy        <string>
17     FailurePolicy defines how unrecognized errors from the admission endpoint
18     are handled. Rules within the same policy share the same failure behavior.
19     Allowed values are Ignore or Fail. Defaults to Fail.
20
21   rules        <[]Object>
22     Rules is a list of Rule instances. A Policy contains multiple rules and
23     each rule can validate, mutate, or generate resources.
24
25   schemaValidation     <boolean>
26     SchemaValidation skips policy validation checks. Optional. The default
27     value is set to "true", it must be set to "false" to disable the validation
28     checks.
29
30   validationFailureAction      <string>
31     ValidationFailureAction controls if a validation policy rule failure should
32     disallow the admission review request (enforce), or allow (audit) the
33     admission review request and report an error in a policy report. Optional.
34     The default value is "audit".
35
36   validationFailureActionOverrides     <[]Object>
37     ValidationFailureActionOverrides is a Cluter Policy attribute that
38     specifies ValidationFailureAction namespace-wise. It overrides
39     ValidationFailureAction for the specified namespaces.
40
41   webhookTimeoutSeconds        <integer>
42     WebhookTimeoutSeconds specifies the maximum time in seconds allowed to
43     apply this policy. After the configured time expires, the admission request
44     may fail, or may simply ignore the policy results, based on the failure
45     policy. The default timeout is 10s, the value must be between 1 and 30
46     seconds.

Kyverno’s support for structural schemas also enables integrated help in Kubernetes enabled Integrated Development Environments (IDEs) like VS Code with the Kubernetes Extension installed.

Last modified October 21, 2022 at 10:39 AM PST: Fix/update language around background scans (#661) (aeaf922)