Kyverno uses Kubernetes Custom Resource Definitions (CRDs) for policy definitions, policy reports, and other internal types.
The complete Kyverno CRD reference can be viewed here.
When operating in a Kubernetes cluster with Kyverno installed, you can always inspect Kyverno types natively using
For example, this is the definition of a Kyverno Policy resource at
1KIND: Policy 2VERSION: kyverno.io/v1 3 4RESOURCE: spec <Object> 5 6DESCRIPTION: 7 Spec defines policy behaviors and contains one or more rules. 8 9FIELDS: 10 background <boolean> 11 Background controls if rules are applied to existing resources during a 12 background scan. Optional. Default value is "true". The value must be set 13 to "false" if the policy rule uses variables that are only available in the 14 admission review request (e.g. user name). 15 16 failurePolicy <string> 17 FailurePolicy defines how unrecognized errors from the admission endpoint 18 are handled. Rules within the same policy share the same failure behavior. 19 Allowed values are Ignore or Fail. Defaults to Fail. 20 21 rules <Object> 22 Rules is a list of Rule instances. A Policy contains multiple rules and 23 each rule can validate, mutate, or generate resources. 24 25 schemaValidation <boolean> 26 SchemaValidation skips policy validation checks. Optional. The default 27 value is set to "true", it must be set to "false" to disable the validation 28 checks. 29 30 validationFailureAction <string> 31 ValidationFailureAction controls if a validation policy rule failure should 32 disallow the admission review request (enforce), or allow (audit) the 33 admission review request and report an error in a policy report. Optional. 34 The default value is "audit". 35 36 validationFailureActionOverrides <Object> 37 ValidationFailureActionOverrides is a Cluter Policy attribute that 38 specifies ValidationFailureAction namespace-wise. It overrides 39 ValidationFailureAction for the specified namespaces. 40 41 webhookTimeoutSeconds <integer> 42 WebhookTimeoutSeconds specifies the maximum time in seconds allowed to 43 apply this policy. After the configured time expires, the admission request 44 may fail, or may simply ignore the policy results, based on the failure 45 policy. The default timeout is 10s, the value must be between 1 and 30 46 seconds.