Resource Definitions

Custom Resource Definitions (CRDs) for Kyverno policies and other types.

Kyverno uses Kubernetes Custom Resource Definitions (CRDs) for policy definitions, policy reports, and other internal types.

The complete Kyverno CRD reference can be viewed here.

The HTML source is available in the Kyverno GitHub repository and generated from type definitions stored here.

kubectl explain

When operating in a Kubernetes cluster with Kyverno installed, you can always inspect Kyverno types natively using kubectl explain.

For example, this is the definition of a Kyverno Policy resource at policy.spec:

 1KIND:     Policy
 2VERSION:  kyverno.io/v1
 3
 4RESOURCE: spec <Object>
 5
 6DESCRIPTION:
 7     Spec defines policy behaviors and contains one or more rules.
 8
 9FIELDS:
10   background   <boolean>
11     Background controls if rules are applied to existing resources during a
12     background scan. Optional. Default value is "true". The value must be set
13     to "false" if the policy rule uses variables that are only available in the
14     admission review request (e.g. user name).
15
16   failurePolicy        <string>
17     FailurePolicy defines how unrecognized errors from the admission endpoint
18     are handled. Rules within the same policy share the same failure behavior.
19     Allowed values are Ignore or Fail. Defaults to Fail.
20
21   rules        <[]Object>
22     Rules is a list of Rule instances. A Policy contains multiple rules and
23     each rule can validate, mutate, or generate resources.
24
25   schemaValidation     <boolean>
26     Deprecated.
27
28   validationFailureAction      <string>
29     ValidationFailureAction controls if a validation policy rule failure should
30     disallow the admission review request (enforce), or allow (audit) the
31     admission review request and report an error in a policy report. Optional.
32     Allowed values are `Audit` or `Enforce`. The default value is `Audit`.
33
34   validationFailureActionOverrides     <[]Object>
35     ValidationFailureActionOverrides is a Cluter Policy attribute that
36     specifies ValidationFailureAction namespace-wise. It overrides
37     ValidationFailureAction for the specified namespaces.
38
39   webhookTimeoutSeconds        <integer>
40     WebhookTimeoutSeconds specifies the maximum time in seconds allowed to
41     apply this policy. After the configured time expires, the admission request
42     may fail, or may simply ignore the policy results, based on the failure
43     policy. The default timeout is 10s, the value must be between 1 and 30
44     seconds.

Kyverno’s support for structural schemas also enables integrated help in Kubernetes enabled Integrated Development Environments (IDEs) like VS Code with the Kubernetes Extension installed.


Last modified June 08, 2024 at 6:16 PM PST: Docsy bump to 0.10.0 and docs fixes/enhancements (#1274) (ed2056b)