{ "description": "PolicyException declares resources to be excluded from specified policies.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "Spec declares policy exception behaviors.", "properties": { "allowedValues": { "description": "AllowedValues specifies values that can be used in CEL expressions to bypass policy checks.\nThese values can be referenced in CEL expressions via `exceptions.allowedValues`.", "items": { "type": "string" }, "type": "array" }, "images": { "description": "Images specifies container images to be excluded from policy evaluation.\nThese excluded images can be referenced in CEL expressions via `exceptions.allowedImages`.", "items": { "type": "string" }, "type": "array" }, "matchConditions": { "description": "MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.", "items": { "description": "MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.", "properties": { "expression": { "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.", "type": "string" }, "name": { "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.", "type": "string" } }, "required": [ "expression", "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "policyRefs": { "description": "PolicyRefs identifies the policies to which the exception is applied.", "items": { "properties": { "kind": { "description": "Kind is the kind of the policy", "type": "string" }, "name": { "description": "Name is the name of the policy", "type": "string" } }, "required": [ "kind", "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "reportResult": { "default": "skip", "description": "ReportResult indicates whether the policy exception should be reported in the policy report\nas a skip result or pass result. Defaults to \"skip\".", "enum": [ "skip", "pass" ], "type": "string" } }, "required": [ "policyRefs" ], "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }