|
| 1 | +--- |
| 2 | +subcategory: "admissionregistration/v1" |
| 3 | +page_title: "Kubernetes: kubernetes_validating_admission_policy_v1" |
| 4 | +description: |- |
| 5 | + A Validating Admission Policy describes the definition of an admission validation policy that accepts or rejects an object without changing it. |
| 6 | +--- |
| 7 | + |
| 8 | +# kubernetes_validating_admission_policy_v1 |
| 9 | + |
| 10 | +A Validating Admission Policy describes the definition of an admission validation policy that accepts or rejects an object without changing it. |
| 11 | + |
| 12 | +<!-- schema generated by tfplugindocs --> |
| 13 | + |
| 14 | +## Schema |
| 15 | + |
| 16 | +### Required |
| 17 | + |
| 18 | +- `metadata` (Block, Min: 1, Max: 1) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata (see below for nested schema) |
| 19 | +spec (Block, Min: 1, Max: 1) Specification of the desired behavior of the ValidatingAdmissionPolicy. (see below for nested schema) |
| 20 | + |
| 21 | +### Optional |
| 22 | + |
| 23 | +- `timeouts` (Block) Configurable timeout for CRUD operations (see below for nested schema) |
| 24 | + |
| 25 | +### Read-Only |
| 26 | + |
| 27 | +- `id` (String) The ID of this resource. |
| 28 | + |
| 29 | +<a id="nestedblock--metadata"></a> |
| 30 | +Nested Schema for `metadata` |
| 31 | + |
| 32 | +### Optional |
| 33 | + |
| 34 | +- `annotations` (Map of String) An unstructured key value map stored with the resource that may be used to store arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
| 35 | +- `generate_name` (String) GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency |
| 36 | +labels (Map of String) Map of string keys and values that can be used to organize and categorize (scope and select) objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
| 37 | +- `name` (String) Name of the ValidatingAdmissionPolicy, must be unique. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
| 38 | +- `namespace` (String) Namespace defines the space within which the resource name must be unique. Note: ValidatingAdmissionPolicy is a cluster-scoped resource, so namespace should typically not be set. |
| 39 | + |
| 40 | +### Read-Only |
| 41 | + |
| 42 | +- `generation` (Number) A sequence number representing a specific generation of the desired state. |
| 43 | +- `resource_version` (String) An opaque value that represents the internal version of this object that can be used by clients to determine when the object has changed. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency |
| 44 | +uid (String) The unique in time and space value for this object. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids |
| 45 | + |
| 46 | +<a id="nestedblock--spec"></a> |
| 47 | +Nested Schema for `spec` |
| 48 | + |
| 49 | +### Required |
| 50 | + |
| 51 | +- `audit_annotations` (Block List, Min: 1) AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. (see below for nested schema) |
| 52 | +- `failure_policy` (String) FailurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or misconfigured policy definitions or bindings. Allowed values are Fail or Ignore. Defaults to Fail. |
| 53 | +- `match_constraints` (Block, Min: 1, Max: 1) MatchConstraints specifies what resources this policy is designed to validate. The policy cares about a request if it matches all Constraints. (see below for nested schema) |
| 54 | + |
| 55 | +### Optional |
| 56 | + |
| 57 | +- `match_conditions` (Block List) MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules. An empty list of matchConditions matches all requests. (see below for nested schema) |
| 58 | +- `param_kind` (Block, Max: 1) ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy. (see below for nested schema) |
| 59 | +- `validations` (Block List) Validations contain CEL expressions which is used to apply the validation. (see below for nested schema) |
| 60 | +- `variables` (Block List) Variables contain definitions of variables that can be used in composition of other expressions. (see below for nested schema) |
| 61 | + |
| 62 | +<a id="nestedblock--spec--audit_annotations"></a> |
| 63 | +Nested Schema for `spec.audit_annotations` |
| 64 | + |
| 65 | +### Required |
| 66 | + |
| 67 | +- `key` (String) Key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name no more than 63 bytes in length. |
| 68 | +- `value_expression` (String) ValueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. |
| 69 | + |
| 70 | +<a id="nestedblock--spec--match_conditions"></a> |
| 71 | +Nested Schema for `spec.match_conditions` |
| 72 | + |
| 73 | +### Required |
| 74 | + |
| 75 | +- `expression` (String) Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer. |
| 76 | +- `name` (String) Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. |
| 77 | + |
| 78 | +<a id="nestedblock--spec--match_constraints"></a> |
| 79 | +Nested Schema for `spec.match_constraints` |
| 80 | + |
| 81 | +### Optional |
| 82 | + |
| 83 | +- `exclude_resource_rules` (Block List) ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules. (see below for nested schema) |
| 84 | +- `match_policy` (String) MatchPolicy defines how the "MatchResources" list is used to match incoming requests. Allowed values are Exact or Equivalent. Defaults to Equivalent. |
| 85 | +- `namespace_selector` (Block, Max: 1) NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. (see below for nested schema) |
| 86 | +- `object_selector` (Block, Max: 1) ObjectSelector decides whether to run the validation based on if the object has matching labels. (see below for nested schema) |
| 87 | +- `resource_rules` (Block List) ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches any Rule. (see below for nested schema) |
| 88 | + |
| 89 | +<a id="nestedblock--spec--match_constraints--exclude_resource_rules"></a> |
| 90 | +Nested Schema for `spec.match_constraints.exclude_resource_rules` |
| 91 | + |
| 92 | +### Required |
| 93 | + |
| 94 | +- `api_groups` (List of String) APIGroups is the API groups the resources belong to. * is all groups. If * is present, the length of the slice must be one. |
| 95 | +- `api_versions` (List of String) APIVersions is the API versions the resources belong to. * is all versions. If * is present, the length of the slice must be one. |
| 96 | +- `operations` (List of String) Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all operations. |
| 97 | +- `resources` (List of String) Resources is a list of resources this rule applies to. For example: pods means pods. pods/log means the log subresource of pods. * means all resources. |
| 98 | + |
| 99 | +### Optional |
| 100 | + |
| 101 | +- `resource_names` (List of String) ResourceNames is an optional allowlist of names that the rule applies to. An empty set means that everything is allowed. |
| 102 | +- `scope` (String) Scope specifies the scope of this rule. Valid values are Cluster, Namespaced, and *. Default is *. |
| 103 | + |
| 104 | +<a id="nestedblock--spec--match_constraints--namespace_selector"></a> |
| 105 | +Nested Schema for `spec.match_constraints.namespace_selector` |
| 106 | + |
| 107 | +### Optional |
| 108 | + |
| 109 | +- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see below for nested schema) |
| 110 | +- `match_labels` (Map of String) A map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". |
| 111 | + |
| 112 | +<a id="nestedblock--spec--match_constraints--namespace_selector--match_expressions"></a> |
| 113 | +Nested Schema for `spec.match_constraints.namespace_selector.match_expressions` |
| 114 | + |
| 115 | +### Optional |
| 116 | + |
| 117 | +- `key` (String) The label key that the selector applies to. |
| 118 | +- `operator` (String) Operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. |
| 119 | +- `values` (List of String) An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. |
| 120 | + |
| 121 | +<a id="nestedblock--spec--match_constraints--object_selector"></a> |
| 122 | +Nested Schema for `spec.match_constraints.object_selector` |
| 123 | + |
| 124 | +### Optional |
| 125 | + |
| 126 | +- `label_selector` (Block, Max: 1) A label query over a set of resources. (see below for nested schema) |
| 127 | + |
| 128 | +<a id="nestedblock--spec--match_constraints--object_selector--label_selector"></a> |
| 129 | +Nested Schema for `spec.match_constraints.object_selector.label_selector` |
| 130 | + |
| 131 | +### Optional |
| 132 | + |
| 133 | +- `match_expressions` (Block List) A list of label selector requirements. The requirements are ANDed. (see below for nested schema) |
| 134 | +- `match_labels` (Map of String) A map of {key,value} pairs. |
| 135 | + |
| 136 | +<a id="nestedblock--spec--match_constraints--object_selector--label_selector--match_expressions"></a> |
| 137 | +Nested Schema for `spec.match_constraints.object_selector.label_selector.match_expressions` |
| 138 | + |
| 139 | +### Optional |
| 140 | + |
| 141 | +- `key` (String) The label key that the selector applies to. |
| 142 | +- `operator` (String) Operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. |
| 143 | +- `values` (List of String) An array of string values. |
| 144 | + |
| 145 | +<a id="nestedblock--spec--match_constraints--resource_rules"></a> |
| 146 | +Nested Schema for `spec.match_constraints.resource_rules` |
| 147 | + |
| 148 | +### Required |
| 149 | + |
| 150 | +- `api_groups` (List of String) APIGroups is the API groups the resources belong to. * is all groups. |
| 151 | +- `api_versions` (List of String) APIVersions is the API versions the resources belong to. * is all versions. |
| 152 | +- `operations` (List of String) Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all operations. |
| 153 | +- `resources` (List of String) Resources is a list of resources this rule applies to. |
| 154 | + |
| 155 | +### Optional |
| 156 | + |
| 157 | +- `resource_names` (List of String) ResourceNames is an optional allowlist of names that the rule applies to. |
| 158 | +- `scope` (String) Scope specifies the scope of this rule. Valid values are Cluster, Namespaced, and *. |
| 159 | + |
| 160 | +<a id="nestedblock--spec--param_kind"></a> |
| 161 | +Nested Schema for `spec.param_kind` |
| 162 | + |
| 163 | +### Required |
| 164 | + |
| 165 | +- `api_version` (String) APIVersion is the API group version the resources belong to. In format of "group/version". |
| 166 | +- `kind` (String) Kind is the API kind the resources belong to. |
| 167 | + |
| 168 | +<a id="nestedblock--spec--validations"></a> |
| 169 | +Nested Schema for `spec.validations` |
| 170 | + |
| 171 | +### Required |
| 172 | + |
| 173 | +- `expression` (String) Expression represents the CEL expression which is evaluated to validate the resource. Must evaluate to bool. |
| 174 | +- `message` (String) Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. |
| 175 | + |
| 176 | +### Optional |
| 177 | + |
| 178 | +- `message_expression` (String) MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. |
| 179 | +- `reason` (String) Reason represents a machine-readable description of why this validation failed. Valid values are: Unauthorized, Forbidden, Invalid, RequestEntityTooLarge. If not set, Invalid is used. |
| 180 | + |
| 181 | +<a id="nestedblock--spec--variables"></a> |
| 182 | +Nested Schema for `spec.variables` |
| 183 | + |
| 184 | +### Optional |
| 185 | + |
| 186 | +- `expression` (String) Expression is the expression that will be evaluated as the value of the variable. |
| 187 | +- `name` (String) Name is the name of the variable. The variable can be accessed in other expressions through variables.<name>. |
| 188 | + |
| 189 | +<a id="nestedblock--timeouts"></a> |
| 190 | +Nested Schema for `timeouts` |
| 191 | + |
| 192 | +### Optional |
| 193 | + |
| 194 | +- `create` (String) Timeout for creating the resource. Default is 20 minutes. |
| 195 | +- `delete` (String) Timeout for deleting the resource. Default is 20 minutes. |
| 196 | +- `read` (String) Timeout for reading the resource. Default is 20 minutes. |
| 197 | +- `update` (String) Timeout for updating the resource. Default is 20 minutes. |
0 commit comments